diff --git a/package-lock.json b/package-lock.json index f93b5ec..38cf7ac 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@mitre/inspec-objects", - "version": "1.0.1", + "version": "2.0.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@mitre/inspec-objects", - "version": "1.0.1", + "version": "2.0.1", "license": "Apache-2.0", "dependencies": { "@types/flat": "5.0.2", diff --git a/package.json b/package.json index b39e6a4..83fc7b9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@mitre/inspec-objects", - "version": "2.0.0", + "version": "2.0.1", "description": "Typescript objects for normalizing between InSpec profiles and XCCDF benchmarks", "main": "lib/index.js", "publishConfig": { diff --git a/src/parsers/oval.ts b/src/parsers/oval.ts index c0a3451..5dd7602 100644 --- a/src/parsers/oval.ts +++ b/src/parsers/oval.ts @@ -100,8 +100,8 @@ export function processOVAL(oval?: string): Record return undefined } - const parsed: Oval = convertEncodedXmlIntoJson(oval) - + const parsed: Oval = convertEncodedXmlIntoJson(oval, 'withArrayNoEntitiesOption') + const extractedDefinitions: Record = {} for (const ovalDefinitions of parsed.oval_definitions) { diff --git a/src/parsers/xccdf.ts b/src/parsers/xccdf.ts index dc159b4..762d6ca 100644 --- a/src/parsers/xccdf.ts +++ b/src/parsers/xccdf.ts @@ -2,7 +2,7 @@ import Profile from '../objects/profile'; import { convertEncodedHTMLIntoJson, convertEncodedXmlIntoJson, convertJsonIntoXML, impactNumberToSeverityString, - removeXMLSpecialCharacters, severityStringToImpact + removeHtmlTags, removeXMLSpecialCharacters, severityStringToImpact } from '../utilities/xccdf'; import {BenchmarkGroup, BenchmarkRule, DecodedDescription, FrontMatter, Notice, ParsedXCCDF, RationaleElement, @@ -67,22 +67,33 @@ export type InputTextLang = { } /** - * Ensures that the input is decoded as an XML string value. + * Ensures that the input is decoded to a string value. * - * @param input - The input value which can be either a string or an array of - * InputTextLang objects. - * @param defaultValue - The default string value to return if the input is - * not a string. - * @returns The decoded XML string value if the input is a string, otherwise the - * value from the first element of the input array or the default value. + * This function takes an input which can be either a string or an array of `InputTextLang` objects. + * If the input is a string, it returns the input as is. + * If the input is an array, it attempts to retrieve the `#text` property from the first element of the array. + * If the input is neither a string nor an array, it attempts to retrieve the `#text` property from the input. + * If the `#text` property is not found, it returns the provided default value. + * + * @param input - The input value which can be a string or an array of `InputTextLang` objects. + * @param defaultValue - The default value to return if the `#text` property is not found. + * @returns The decoded string value or the default value. */ function ensureDecodedXMLStringValue(input: string | InputTextLang[], defaultValue: string): string { - return _.isString(input) ? input : _.get(input, '[0].#text', defaultValue) + return _.isString(input) + ? input + : _.isArray(input) + ? _.get(input, '[0].#text', defaultValue) + : _.get(input, '#text', defaultValue) } /** * Processes an XCCDF XML string and converts it into a Profile object. - * Note: Moved the newline removal to diff library rather than here. + * NOTE: We are using the fast xml parser (FXP) V4 which requires to specify + * which Whether a single tag should be parsed as an array or an object, + * it can't be decided by FXP. We process every tag as an array, this is + * the reason there are numerous tag test, were array index zero [0] is + * tested. * * @param xml - The XCCDF XML string to process. * @param removeNewlines - A flag indicating whether to remove newlines from the processed data. @@ -91,7 +102,11 @@ function ensureDecodedXMLStringValue(input: string | InputTextLang[], defaultVal * @returns A Profile object representing the processed XCCDF data. * @throws Will throw an error if the XCCDF file is not properly formatted or if required data is missing. */ -export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'group' | 'rule' | 'version' | 'cis', ovalDefinitions?: Record): Profile { +export function processXCCDF(xml: string, removeNewlines: false, + useRuleId: 'group' | 'rule' | 'version' | 'cis', + ovalDefinitions?: Record): Profile { + const logger = createWinstonLogger('ts-inspec-objects') const parsedXML: ParsedXCCDF = convertEncodedXmlIntoJson(xml) @@ -99,15 +114,41 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro throw new Error('Could not process the XCCDF file, check the input to make sure this is a properly formatted XCCDF file.') } + // Extracts all rules from the given benchmark groups. const rules = extractAllRules(parsedXML.Benchmark[0].Group) + // Variable used to store the profile data. + // The name is the benchmark Id, title and summary are from benchmark. const profile = new Profile({ - name: parsedXML.Benchmark[0]['@_id'], - title: (parsedXML.Benchmark[0].title[0] as FrontMatter)['#text'], - summary: (parsedXML.Benchmark[0].description[0] as RationaleElement)['#text'] + //name: parsedXML.Benchmark[0]['@_id'], + // title: (parsedXML.Benchmark[0].title[0] as FrontMatter)['#text'], + // summary: (parsedXML.Benchmark[0].description[0] as RationaleElement)['#text'] + name: Array.isArray(parsedXML.Benchmark[0]['@_id']) + ? parsedXML.Benchmark[0]['@_id'].map(n => (n as FrontMatter)['@_id']).join(' ') === '' + ? parsedXML.Benchmark[0]['@_id'].map(n => (n as string[])).join(' ') + : parsedXML.Benchmark[0]['@_id'].join(' ') + : parsedXML.Benchmark[0]['@_id'], + title: Array.isArray(parsedXML.Benchmark[0].title) + ? parsedXML.Benchmark[0].title.map(t => (t as FrontMatter)['#text']).join(' ') === '' + ? parsedXML.Benchmark[0].title.map(t => (t as unknown as string[])).join(' ') + : parsedXML.Benchmark[0].title.map(t => (t as FrontMatter)['#text']).join(' ') + : parsedXML.Benchmark[0].title, + summary: Array.isArray(parsedXML.Benchmark[0].description) + ? parsedXML.Benchmark[0].description.map(d => (d as RationaleElement)['#text']).join(' ') === '' + ? parsedXML.Benchmark[0].description.map(d => (d as RationaleElement)['p'] || '').join(' ') === '' + ? parsedXML.Benchmark[0].description.map(d => (d as unknown as string[])).join(' ') + : parsedXML.Benchmark[0].description.map(d => (d as RationaleElement)['p'] || '').join(' ') + : parsedXML.Benchmark[0].description.map(d => (d as RationaleElement)['#text']).join(' ') + : parsedXML.Benchmark[0].description }); - + + // Process each rule, extracting the necessary + // data and save it to the profile variable. rules.forEach(rule => { + // The description tag contains the following tags: + // "FalsePositives", "FalseNegatives", "Documentable", "Mitigations", + // "SeverityOverrideGuidance", "PotentialImpacts", "ThirdPartyTools", + // "MitigationControl", "Responsibility", "IAControls" let extractedDescription: string | DecodedDescription; if (typeof rule.description === 'object') { if (Array.isArray(rule.description) && _.get(rule, "description[0]['#text']")) { @@ -119,21 +160,25 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro if (Array.isArray(_.get(rule.description, '[0].p'))) { const joinedDescriptions: string[] = (_.get(rule.description, '[0].p') as string[]) extractedDescription = pretty(joinedDescriptions.join('\n\n')) + extractedDescription = removeHtmlTags(extractedDescription).replace('\n',' ') + } else if (Array.isArray(rule.description)) { + extractedDescription = convertEncodedHTMLIntoJson(rule.description[0]) } else { extractedDescription = JSON.stringify(rule.description) } - } } } else { extractedDescription = convertEncodedHTMLIntoJson(rule.description) } - + + // Create a new control object and populate it with the necessary data. const control = new Control(); + // Update the control Id with the appropriate value based on the rule id. switch (useRuleId) { case 'group': - control.id = rule.group['@_id'] + control.id = rule.group['@_id'].toString() break; case 'rule': if (rule['@_id'][0].toLowerCase().startsWith('sv')) { @@ -143,30 +188,53 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro } break; case 'version': - control.id = rule.version + if (rule.version !== undefined) { + (_.isArray(rule.version)) + ? control.id = rule.version[0] + : control.id = rule.version + } else { + throw new Error('The rule type "version" did not provide an identification (Id) value') + } break; - case 'cis': - // eslint-disable-next-line no-case-declarations + case 'cis': { + // Regex explained + // \d: + // matches a single digit (0-9), the required starting point of the match. + // (\d?): + // matches an optional digit, there are three of these in sequence + // (.\d(\d?)(\d?)(\d?))?: + // matches an optional group that starts with a period (.) followed + // by one digit and up to three additional optional digits + // The pattern is repeated four times to match between zero and four + // groups of a period followed by one required digit and up to three + // additional optional digits. The pattern matches: + // 1, 123, 1.2, 1.234, 1.2.3.4.5, or 1.23.456.7.89 const controlIdRegex = /\d(\d?)(\d?)(\d?)(.\d(\d?)(\d?)(\d?))?(.\d(\d?)(\d?)(\d?))?(.\d(\d?)(\d?)(\d?))?(.\d(\d?)(\d?)(\d?))?/g - // eslint-disable-next-line no-case-declarations const controlIdMatch = controlIdRegex.exec(rule['@_id']) if (controlIdMatch) { control.id = controlIdMatch[0] } else { - throw new Error(`Could not parse control ID from rule ID: ${rule['@_id']}. Expecting something in this example format: 'xccdf_org.cisecurity.benchmarks_rule_1.1.11_Rule_title_summary`) + throw new Error(`Could not parse control ID from rule ID: ${rule['@_id']}. Expecting something in this example format: xccdf_org.cisecurity.benchmarks_rule_1.1.11_Rule_title_summary`) } break; + } default: - throw new Error('useRuleId must be one of "group", "rule", or "version"') + throw new Error('useRuleId must be one of "group", "rule", "version" for STIG benchmarks, or "cis" for CIS benchmarks') } if (!(_.isArray(rule.title) && rule.title.length === 1)) { throw new Error('Rule title is not an array of length 1. Investigate if the file is in the proper format.') } - control.title = removeXMLSpecialCharacters(rule['@_severity'] ? ensureDecodedXMLStringValue(rule.title[0], 'undefined title') : `[[[MISSING SEVERITY FROM BENCHMARK]]] ${ensureDecodedXMLStringValue(rule.title[0],'undefined title')}`) - + // Update the control title with the rule.tile content if a rule severity + // exists after removing any special characters, otherwise set the control + // title to [[[MISSING SEVERITY FROM BENCHMARK]]], undefined title. + control.title = removeXMLSpecialCharacters(rule['@_severity'] || rule['@_weight'] + ? ensureDecodedXMLStringValue(rule.title[0], 'undefined title') + : `[[[MISSING SEVERITY or WEIGHT FROM BENCHMARK]]] ${ensureDecodedXMLStringValue(rule.title[0],'undefined title')}`) + + // Update the control description (desc) with the extracted description content if (typeof extractedDescription === 'object' && !Array.isArray(extractedDescription)) { control.desc = extractedDescription.VulnDiscussion?.split('Satisfies: ')[0] || '' } else if (typeof extractedDescription === 'object') { @@ -177,12 +245,15 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro logger.warn(`Invalid value for extracted description: ${extractedDescription}`) } + // Update the control impact with the severity value from the rule, + // default to medium (0.5) if not found. control.impact = severityStringToImpact(rule['@_severity'] || 'medium') if (!control.descs || Array.isArray(control.descs)) { control.descs = {} } + // Update the control descriptions (descs) check with the check text from the rule, if (rule.check) { if (rule.check.some((ruleValue) => 'check-content' in ruleValue)) { control.descs.check = removeXMLSpecialCharacters(rule.check ? rule.check[0]['check-content'][0] : 'Missing description') @@ -232,14 +303,15 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro checkTexts.push(comment+'\n') } - resolvedValue.resolvedObjects.forEach((resolvedObject: any) => { - // Try to find the associated state for a resolved object const resolvedId = resolvedObject['@_id'].split(':')[resolvedValue['@_id'].split(':').length - 1] if (resolvedId) { - const relatedResolvedState = resolvedValue.resolvedStates.find((resolvedState: {'@_id': string}) => resolvedState['@_id'].toLowerCase().includes(resolvedId.toLowerCase())) + const relatedResolvedState = + resolvedValue.resolvedStates.find((resolvedState: {'@_id': string}) => + resolvedState['@_id'].toLowerCase().includes(resolvedId.toLowerCase()) + ) if (relatedResolvedState) { _.set(resolvedObject, 'expectedState', _.pickBy(relatedResolvedState, (value, key) => !key.startsWith('@_'))) } @@ -261,17 +333,19 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro } } + // Update the control descriptions (descs) fix with content from the rule + // fixtest, if not found, defaults to "Missing fix text" if (_.get(rule.fixtext, '[0]["#text"]')) { control.descs.fix = removeXMLSpecialCharacters(rule.fixtext[0]['#text']) } else if (typeof rule.fixtext === 'undefined') { if (rule.fix && rule.fix[0]) { - control.descs.fix = removeXMLSpecialCharacters((rule.fix[0] as Notice)['#text'] || 'Missing fix text') + control.descs.fix = removeHtmlTags((rule.fix[0] as Notice)['#text'] || 'Missing fix text') } } else if (typeof rule.fixtext[0] === 'string') { - control.descs.fix = removeXMLSpecialCharacters(rule.fixtext[0]) + control.descs.fix = removeHtmlTags(rule.fixtext[0]) } else if (typeof rule.fixtext[0] === 'object') { if (Array.isArray(rule.fixtext[0])) { - control.descs.fix = removeXMLSpecialCharacters(pretty(convertJsonIntoXML(rule.fixtext[0].map((fixtext: any) => { + control.descs.fix = removeHtmlTags(pretty(convertJsonIntoXML(rule.fixtext[0].map((fixtext: any) => { if (fixtext.div) { return fixtext.div } else { @@ -279,21 +353,26 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro } })))) } else { - control.descs.fix = removeXMLSpecialCharacters(pretty(convertJsonIntoXML(rule.fixtext))) + control.descs.fix = removeHtmlTags(removeXMLSpecialCharacters(pretty(convertJsonIntoXML(rule.fixtext)))).replace('\n',' ').trim() } } else { control.descs.fix = 'Missing fix text' } - + + // Update the control tags base on corresponding rule tags. control.tags.severity = impactNumberToSeverityString(severityStringToImpact(rule['@_severity'] || 'medium')) control.tags.gid = rule.group['@_id'], control.tags.rid = rule['@_id'] control.tags.stig_id = rule['version'] - if (typeof rule.group.title[0] === 'string') { - control.tags.gtitle = removeXMLSpecialCharacters(rule.group.title[0]) + if (typeof rule.group.title === 'string') { + control.tags.gtitle = removeXMLSpecialCharacters(rule.group.title) } else { - control.tags.gtitle = removeXMLSpecialCharacters(_.get(rule.group, 'title[0].#text', 'undefined title')) + const gtitle = _.get(rule.group, 'title[0].#text', 'undefined title') === 'undefined title' + ? _.get(rule.group, 'title[0]', 'undefined title') + : _.get(rule.group, 'title[0].#text', 'undefined title') + + control.tags.gtitle = typeof gtitle === 'string' ? gtitle : (gtitle as FrontMatter)['#text'] || 'undefined title' } if (rule['fix'] && rule['fix'].length > 0) { @@ -304,11 +383,20 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro control.tags.rationale = rule['rationale'][0]['#text'] } + // The description tag contains the following tags as well: + // "FalsePositives", "FalseNegatives", "Documentable", "Mitigations", + // "SeverityOverrideGuidance", "PotentialImpacts", "ThirdPartyTools", + // "MitigationControl", "Responsibility", "IAControls" if (typeof extractedDescription === 'object') { - control.tags.satisfies = extractedDescription.VulnDiscussion?.includes('Satisfies: ') && extractedDescription.VulnDiscussion.split('Satisfies: ').length >= 1 ? extractedDescription.VulnDiscussion.split('Satisfies: ')[1].split(',').map(satisfaction => satisfaction.trim()) : undefined + control.tags.satisfies = + extractedDescription.VulnDiscussion?.includes('Satisfies: ') && extractedDescription.VulnDiscussion.split('Satisfies: ').length >= 1 + ? extractedDescription.VulnDiscussion.split('Satisfies: ')[1].split(',').map(satisfaction => satisfaction.trim()) + : undefined control.tags.false_negatives = extractedDescription.FalseNegatives || undefined control.tags.false_positives = extractedDescription.FalsePositives || undefined - control.tags.documentable = typeof extractedDescription.Documentable === 'boolean' ? extractedDescription.Documentable : undefined + control.tags.documentable = typeof extractedDescription.Documentable === 'boolean' + ? extractedDescription.Documentable + : undefined control.tags.mitigations = extractedDescription.Mitigations || undefined control.tags.severity_override_guidance = extractedDescription.SeverityOverrideGuidance || undefined control.tags.potential_impacts = extractedDescription.PotentialImpacts || undefined @@ -319,12 +407,14 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro control.tags.ia_controls = extractedDescription.IAControls || undefined } + // Ensure that tags inside the tags array are not an array control.tags = _.mapValues(_.omitBy(control.tags, (value) => value === undefined), (value) => { if (value && Array.isArray(value)) { if (Array.isArray(value[0])) { return removeXMLSpecialCharacters(value[0][0] as string) - } - else { + } else if (value.length > 1) { + return value + } else { return removeXMLSpecialCharacters(value[0] as string) } } else if (typeof value === 'string') { @@ -333,8 +423,8 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro return value } }) - - // Get all identifiers from the rule + + // Get all identifiers from the rule; cci, nist, and legacy if (rule.ident) { rule.ident.forEach((identifier) => { // Get CCIs @@ -361,6 +451,7 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro }) } + // Update control references with content from the benchmark rule object rule.reference?.forEach((reference) => { if (_.get(reference, '@_href') === '') { control.refs?.push(_.get(reference, '#text', 'undefined href')) @@ -383,10 +474,14 @@ export function processXCCDF(xml: string, removeNewlines: false, useRuleId: 'gro } } else { if ('title' in reference) { - control.refs?.push(_.get(reference, 'title') as string) + const title = _.get(reference, 'title') + if (Array.isArray(title)) { + control.refs?.push(title[0]) + } else { + control.refs?.push(_.get(reference, 'title') as string) + } } } - // Add the reference to the control tags when separated by § if (typeof referenceText === 'string' && referenceText.indexOf('§') !== -1) { const referenceParts = referenceText.split('§') diff --git a/src/types/xccdf.d.ts b/src/types/xccdf.d.ts index a7cf180..63ddaa4 100644 --- a/src/types/xccdf.d.ts +++ b/src/types/xccdf.d.ts @@ -159,6 +159,7 @@ export interface FrontMatter { 'html:code'?: HTMLEmElement[]; 'html:a'?: HTMLA[]; '@_override'?: string; + '@_id'?: string; } export enum Category { @@ -207,6 +208,7 @@ export interface HTMLAElement { export interface RationaleElement { '#text'?: string; + 'p'?: string; '@_xmlns:xhtml': string; '@_xml:lang': XMLLang; 'html:br'?: HTMLBr[]; diff --git a/src/utilities/diff.ts b/src/utilities/diff.ts index 6697702..67764b7 100644 --- a/src/utilities/diff.ts +++ b/src/utilities/diff.ts @@ -131,7 +131,7 @@ export function diffProfile( fromControlIDs, toControlIDs )?.filter((item: string) => !(item.length === 1 && item[0] === ' ')); - + // Contains the new IDs const changedControlIds: string[] = []; @@ -177,7 +177,7 @@ export function diffProfile( } else { logger.error(`Unable to find existing control ${diffValue[1]}`); } - } else if (diffValue[0] === '+' && !changedControlIds.includes(diffValue[1].toString().toLowerCase()) && diffValue[1]) { + } else if (diffValue[0] === '+' && !changedControlIds.includes(diffValue[1].toLowerCase()) && diffValue[1]) { logger.info(JSON.stringify(diffValue)) logger.info(JSON.stringify(changedControlIds)) profileDiff.addedControlIDs.push(diffValue[1]); diff --git a/src/utilities/update.ts b/src/utilities/update.ts index 99c9620..4fea5f0 100644 --- a/src/utilities/update.ts +++ b/src/utilities/update.ts @@ -311,9 +311,9 @@ export function getExistingDescribeFromControl(control: Control): string { export function findUpdatedControlByAllIdentifiers(existingControl: Control, updatedControls: Control[]): Control | undefined { // Try to match based on IDs let updatedControl = updatedControls.find((updatedControl) => { - return updatedControl.id[0].toLowerCase() === existingControl.id[0].toLowerCase() + return updatedControl.id.toLowerCase() === existingControl.id.toLowerCase() }) - + if (updatedControl) { return updatedControl } diff --git a/src/utilities/xccdf.ts b/src/utilities/xccdf.ts index 15f0c7a..c6e149e 100644 --- a/src/utilities/xccdf.ts +++ b/src/utilities/xccdf.ts @@ -6,35 +6,91 @@ import {DecodedDescription} from '../types/xccdf' import he from 'he' /** - * Converts an encoded XML string into a JSON object. + * Converts an encoded XML string into a JSON object using specified + * parsing options. * - * @param encodedXml - The encoded XML string to be converted. + * @param encodedXml - The encoded XML string to be converted. + * @param xmlParserOption - The parsing option to be used. Defaults to + * 'withArrayOption'. + * Possible values are: + * - 'withArrayOption': Parses XML with array option enabled. + * - 'withArrayNoEntitiesOption': Parses XML with array option + * enabled and processes entities. + * - Any other value: Parses XML without array option. * @returns The JSON representation of the XML string. * * @remarks * This function uses the `fast-xml-parser` library to parse the XML string. * The parser options are configured to: - * - Not ignore attributes. + * - Prevent the parser from converting XML entities (converting < into <) + * - Ignore attributes, allow or disallows attributes to be parsed * - Remove namespace prefixes. * - Prefix attribute names with '@_'. - * - Stop parsing at 'div' and 'p' nodes. - * - Treat all nodes as arrays. + * - Stop parsing 'div' and 'p' tags. + * - Treat all nodes as arrays or not * + * Options being used for the XML parser (V4) are: + * - processEntities: true or false (based on xmlParserOption) + * - ignoreAttributes: false (allow attributes to be parsed) + * - removeNSPrefix: true (remove namespace prefixes) + * - attributeNamePrefix: '@_' (prefix all attribute names with @_) + * - stopNodes: ["*.pre", "*.p"] + * - isArray(): true or false (based on xmlParserOption) + * + * NOTE: The isArray can specify what tags to always convert into an array, we + * do not specify specific fields as it could break parsing if future + * fields are added, we parse all fields as an array. + * * For more details on the parser options, see the documentation for the v4 or v5 version of the library: * {@link https://github.com/NaturalIntelligence/fast-xml-parser/tree/master/docs/v4} */ -export function convertEncodedXmlIntoJson( - encodedXml: string -): any { - const options = { +/** + * Converts an encoded XML string into a JSON object using specified parsing options. + * + * @param encodedXml - The encoded XML string to be converted. + * @param xmlParserOption - The parsing option to be used. Defaults to 'withArrayOption'. + * Possible values are: + * - 'withArrayOption': Parses XML with array option enabled. + * - 'withArrayNoEntitiesOption': Parses XML with array option enabled and processes entities. + * - Any other value: Parses XML without array option. + * @returns The JSON object resulting from the XML parsing. + */ +export function convertEncodedXmlIntoJson(encodedXml: string, xmlParserOption: string = 'withArrayOption'): any { + + const withArrayOption = { + processEntities: false, + ignoreAttributes: false, + removeNSPrefix: true, + attributeNamePrefix: '@_', + stopNodes: ['*.div', '*.p'], + isArray: () => true, + }; + + const withArrayNoEntitiesOption = { + processEntities: true, + ignoreAttributes: false, + removeNSPrefix: true, + attributeNamePrefix: '@_', + stopNodes: ['*.div', '*.p'], + isArray: () => true, + }; + + const noArrayOption = { + processEntities: false, ignoreAttributes: false, removeNSPrefix: true, attributeNamePrefix: '@_', - stopNodes: ['div', 'p'], - // eslint-disable-next-line @typescript-eslint/no-unused-vars - isArray: (_name: string, _jpath: string, _isLeafNode: boolean, _isAttribute: boolean) => true, + stopNodes: ['*.div', '*.p'], + isArray: () => false, }; - const parser = new XMLParser(options); + + const parser = new XMLParser( + xmlParserOption === 'withArrayOption' + ? withArrayOption + : xmlParserOption === 'withArrayNoEntitiesOption' + ? withArrayNoEntitiesOption + : noArrayOption) + return parser.parse(encodedXml); } @@ -58,12 +114,20 @@ export function convertJsonIntoXML(data: any) { * @returns The decoded string with XML special characters removed. */ export function removeXMLSpecialCharacters(str: string) { - //console.log('Remove special characters: ', JSON.stringify(str, null, 2)); const result = he.decode(str); - //console.log('Result of he.decode: ', JSON.stringify(result)); return result } +/** + * Removes HTML tags from the given input string. + * + * @param input - The string from which HTML tags should be removed. + * @returns A new string with all HTML tags removed. + */ +export function removeHtmlTags(input: string): string { + return input.replace(/<\/?[^>]+(>|$)/g, ''); +} + /** * Converts a severity string to a numerical impact value. * @@ -174,7 +238,7 @@ export function convertEncodedHTMLIntoJson(encodedHTML?: string): DecodedDescrip }) htmlParser.write(patchedHTML) htmlParser.end() - const converted = convertEncodedXmlIntoJson(xmlChunks.join('')) + const converted = convertEncodedXmlIntoJson(xmlChunks.join(''), 'noArrayOption') let cleaned: Record = {} // Some STIGs have xml tags inside of the actual text which breaks processing, diff --git a/test/sample_data/diffs/RHEL7_V2R6_V2R7.json b/test/sample_data/diffs/RHEL7_V2R6_V2R7.json index 1223e61..cc8fca4 100644 --- a/test/sample_data/diffs/RHEL7_V2R6_V2R7.json +++ b/test/sample_data/diffs/RHEL7_V2R6_V2R7.json @@ -1,752 +1,11 @@ { "ignoreFormattingDiff": { "addedControlIDs": [ - [ - "V-100023" - ], - [ - "V-71849" - ], - [ - "V-71855" - ], - [ - "V-71859" - ], - [ - "V-71861" - ], - [ - "V-71863" - ], - [ - "V-71891" - ], - [ - "V-71893" - ], - [ - "V-71897" - ], - [ - "V-71899" - ], - [ - "V-71901" - ], - [ - "V-71903" - ], - [ - "V-71905" - ], - [ - "V-71907" - ], - [ - "V-71909" - ], - [ - "V-71911" - ], - [ - "V-71913" - ], - [ - "V-71915" - ], - [ - "V-71917" - ], - [ - "V-71919" - ], - [ - "V-71921" - ], - [ - "V-71923" - ], - [ - "V-71925" - ], - [ - "V-71927" - ], - [ - "V-71929" - ], - [ - "V-71931" - ], - [ - "V-71933" - ], - [ - "V-71935" - ], - [ - "V-71937" - ], - [ - "V-71939" - ], - [ - "V-71941" - ], - [ - "V-71943" - ], - [ - "V-71945" - ], - [ - "V-71947" - ], - [ - "V-71949" - ], - [ - "V-71951" - ], - [ - "V-71953" - ], - [ - "V-71955" - ], - [ - "V-71957" - ], - [ - "V-71959" - ], - [ - "V-71961" - ], - [ - "V-71963" - ], - [ - "V-71965" - ], - [ - "V-71967" - ], - [ - "V-71969" - ], - [ - "V-71971" - ], - [ - "V-71973" - ], - [ - "V-71975" - ], - [ - "V-71977" - ], - [ - "V-71979" - ], - [ - "V-71983" - ], - [ - "V-71985" - ], - [ - "V-71987" - ], - [ - "V-71989" - ], - [ - "V-71991" - ], - [ - "V-71993" - ], - [ - "V-71995" - ], - [ - "V-71997" - ], - [ - "V-71999" - ], - [ - "V-72001" - ], - [ - "V-72003" - ], - [ - "V-72005" - ], - [ - "V-72007" - ], - [ - "V-72009" - ], - [ - "V-72011" - ], - [ - "V-72013" - ], - [ - "V-72015" - ], - [ - "V-72017" - ], - [ - "V-72019" - ], - [ - "V-72021" - ], - [ - "V-72023" - ], - [ - "V-72025" - ], - [ - "V-72027" - ], - [ - "V-72029" - ], - [ - "V-72031" - ], - [ - "V-72033" - ], - [ - "V-72035" - ], - [ - "V-72037" - ], - [ - "V-72039" - ], - [ - "V-72041" - ], - [ - "V-72043" - ], - [ - "V-72045" - ], - [ - "V-72047" - ], - [ - "V-72049" - ], - [ - "V-72051" - ], - [ - "V-72053" - ], - [ - "V-72055" - ], - [ - "V-72057" - ], - [ - "V-72059" - ], - [ - "V-72061" - ], - [ - "V-72063" - ], - [ - "V-72065" - ], - [ - "V-72067" - ], - [ - "V-72069" - ], - [ - "V-72071" - ], - [ - "V-72073" - ], - [ - "V-72075" - ], - [ - "V-72077" - ], - [ - "V-72079" - ], - [ - "V-72081" - ], - [ - "V-72083" - ], - [ - "V-72085" - ], - [ - "V-72087" - ], - [ - "V-72089" - ], - [ - "V-72091" - ], - [ - "V-72093" - ], - [ - "V-72095" - ], - [ - "V-72097" - ], - [ - "V-72099" - ], - [ - "V-72101" - ], - [ - "V-72103" - ], - [ - "V-72105" - ], - [ - "V-72107" - ], - [ - "V-72109" - ], - [ - "V-72111" - ], - [ - "V-72113" - ], - [ - "V-72115" - ], - [ - "V-72117" - ], - [ - "V-72119" - ], - [ - "V-72121" - ], - [ - "V-72123" - ], - [ - "V-72125" - ], - [ - "V-72127" - ], - [ - "V-72129" - ], - [ - "V-72131" - ], - [ - "V-72133" - ], - [ - "V-72135" - ], - [ - "V-72137" - ], - [ - "V-72139" - ], - [ - "V-72141" - ], - [ - "V-72145" - ], - [ - "V-72147" - ], - [ - "V-72149" - ], - [ - "V-72151" - ], - [ - "V-72153" - ], - [ - "V-72155" - ], - [ - "V-72157" - ], - [ - "V-72159" - ], - [ - "V-72161" - ], - [ - "V-72163" - ], - [ - "V-72165" - ], - [ - "V-72167" - ], - [ - "V-72171" - ], - [ - "V-72173" - ], - [ - "V-72175" - ], - [ - "V-72177" - ], - [ - "V-72179" - ], - [ - "V-72183" - ], - [ - "V-72185" - ], - [ - "V-72187" - ], - [ - "V-72189" - ], - [ - "V-72191" - ], - [ - "V-72197" - ], - [ - "V-72199" - ], - [ - "V-72201" - ], - [ - "V-72203" - ], - [ - "V-72205" - ], - [ - "V-72207" - ], - [ - "V-72209" - ], - [ - "V-72211" - ], - [ - "V-72213" - ], - [ - "V-72217" - ], - [ - "V-72219" - ], - [ - "V-72221" - ], - [ - "V-72223" - ], - [ - "V-72225" - ], - [ - "V-72227" - ], - [ - "V-72229" - ], - [ - "V-72231" - ], - [ - "V-72233" - ], - [ - "V-72235" - ], - [ - "V-72237" - ], - [ - "V-72239" - ], - [ - "V-72241" - ], - [ - "V-72243" - ], - [ - "V-72245" - ], - [ - "V-72247" - ], - [ - "V-72249" - ], - [ - "V-72251" - ], - [ - "V-72253" - ], - [ - "V-72255" - ], - [ - "V-72257" - ], - [ - "V-72259" - ], - [ - "V-72261" - ], - [ - "V-72263" - ], - [ - "V-72265" - ], - [ - "V-72267" - ], - [ - "V-72269" - ], - [ - "V-72273" - ], - [ - "V-72275" - ], - [ - "V-72277" - ], - [ - "V-72279" - ], - [ - "V-72281" - ], - [ - "V-72283" - ], - [ - "V-72285" - ], - [ - "V-72287" - ], - [ - "V-72289" - ], - [ - "V-72291" - ], - [ - "V-72293" - ], - [ - "V-72295" - ], - [ - "V-72297" - ], - [ - "V-72299" - ], - [ - "V-72301" - ], - [ - "V-72303" - ], - [ - "V-72305" - ], - [ - "V-72307" - ], - [ - "V-72309" - ], - [ - "V-72311" - ], - [ - "V-72313" - ], - [ - "V-72315" - ], - [ - "V-72317" - ], - [ - "V-72319" - ], - [ - "V-72417" - ], - [ - "V-72427" - ], - [ - "V-72433" - ], - [ - "V-73155" - ], - [ - "V-73157" - ], - [ - "V-73159" - ], - [ - "V-73161" - ], - [ - "V-73163" - ], - [ - "V-73165" - ], - [ - "V-73167" - ], - [ - "V-73171" - ], - [ - "V-73173" - ], - [ - "V-73175" - ], - [ - "V-73177" - ], - [ - "V-77819" - ], - [ - "V-77821" - ], - [ - "V-77823" - ], - [ - "V-77825" - ], - [ - "V-78995" - ], - [ - "V-78997" - ], - [ - "V-78999" - ], - [ - "V-79001" - ], - [ - "V-81003" - ], - [ - "V-81005" - ], - [ - "V-81007" - ], - [ - "V-81009" - ], - [ - "V-81011" - ], - [ - "V-81013" - ], - [ - "V-81015" - ], - [ - "V-81017" - ], - [ - "V-81019" - ], - [ - "V-81021" - ], - [ - "V-92251" - ], - [ - "V-92253" - ], - [ - "V-92255" - ], - [ - "V-94843" - ] + "V-100023" ], - "removedControlIDs": [ + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ "V-71849", "V-71855", "V-71859", @@ -995,8 +254,6 @@ "V-92255", "V-94843" ], - "renamedControlIDs": {}, - "changedControlIDs": [], "addedControls": { "V-100023": { "tags": { @@ -1007,6 +264,12 @@ "stig_id": "RHEL-07-020111", "gtitle": "SRG-OS-000114-GPOS-00059", "fix_id": "F-105707r1_fix", + "satisfies": [ + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, "cci": [ "CCI-000366", "CCI-000778", @@ -1019,149 +282,65 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-100023" + "DPMS Target Red Hat 7" ], + "id": "V-100023", "title": "The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.", - "desc": "[\"Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", + "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\nIf the output does not match the example, this is a finding.", "fix": "Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: \n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update" } - }, + } + }, + "changedControls": { "V-71849": { "tags": { - "check_id": "C-72081r8_chk", - "severity": "high", - "gid": "V-71849", - "rid": "SV-86473r4_rule", - "stig_id": "RHEL-07-010010", - "gtitle": "SRG-OS-000257-GPOS-00098", - "fix_id": "F-78201r4_fix", - "cci": [ - "CCI-001494", - "CCI-001496", - "CCI-002165", - "CCI-002235" - ], - "nist": [ - "AU-9", - "AU-9 (3)", - "AC-3 (4)", - "AC-6 (10)" - ] + "check_id__added": "C-72081r8_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71849" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.", - "desc": "[\"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.\\n\\nSatisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n# for i in `rpm -Va | egrep -i '^\\.[M|U|G|.]{8}' | cut -d \" \" -f4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f1,5,6,7 | grep $i;done;done\n\n/var/log/gdm 040755 root root\n/etc/audisp/audisp-remote.conf 0100640 root root\n/usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n# ls -la \n\n-rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nReset the user and group ownership of files within a package with the following command:\n\n#rpm --setugids \n\n\nReset the permissions of files within a package with the following command:\n\n#rpm --setperms " - } + "descs": {} }, "V-71855": { "tags": { - "check_id": "C-72087r3_chk", - "severity": "high", - "gid": "V-71855", - "rid": "SV-86479r4_rule", - "stig_id": "RHEL-07-010020", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78207r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72087r3_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71855" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.", - "desc": "[\"Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the cryptographic hash of system files and commands match the vendor values.\n\nCheck the cryptographic hash of system files and commands with the following command:\n\nNote: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.\n\n# rpm -Va --noconfig | grep '^..5'\n\nIf there is any output from the command for system files or binaries, this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " - } + "descs": {} }, "V-71859": { "tags": { - "check_id": "C-72091r5_chk", - "severity": "medium", - "gid": "V-71859", - "rid": "SV-86483r4_rule", - "stig_id": "RHEL-07-010030", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78211r4_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id__added": "C-72091r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71859" - ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n# grep banner-message-enable /etc/dconf/db/local.d/*\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\nbanner-message-enable=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." - } + "descs": {} }, "V-71861": { "tags": { - "check_id": "C-72093r5_chk", + "check_id__added": "C-72093r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-71861", "rid": "SV-86485r5_rule", - "stig_id": "RHEL-07-010040", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78213r6_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "fix_id": "F-78213r6_fix" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71861" - ], - "title": "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy.\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false\"]", + "desc": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy.\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n# grep banner-message-text /etc/dconf/db/local.d/*\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n\nIf the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.", @@ -1170,1319 +349,463 @@ }, "V-71863": { "tags": { - "check_id": "C-72097r1_chk", - "severity": "medium", - "gid": "V-71863", - "rid": "SV-86487r3_rule", - "stig_id": "RHEL-07-010050", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78217r2_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id__added": "C-72097r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71863" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck to see if the operating system displays a banner at the command line logon screen with the following command:\n\n# more /etc/issue\n\nThe command should return the following text:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the \"/etc/issue\" file.\n\nReplace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"" - } + "descs": {} }, "V-71891": { "tags": { - "check_id": "C-72123r2_chk", - "severity": "medium", - "gid": "V-71891", - "rid": "SV-86515r6_rule", - "stig_id": "RHEL-07-010060", - "gtitle": "SRG-OS-000028-GPOS-00009", - "fix_id": "F-78243r9_fix", - "cci": [ - "CCI-000056" - ], - "nist": [ - "AC-11 b" - ] + "check_id__added": "C-72123r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71891" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\\n\\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n# grep -i lock-enabled /etc/dconf/db/local.d/*\nlock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n\n# Set this to true to lock the screen when the screensaver activates\nlock-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." - } + "descs": {} }, "V-71893": { "tags": { - "check_id": "C-72125r1_chk", - "severity": "medium", - "gid": "V-71893", - "rid": "SV-86517r5_rule", - "stig_id": "RHEL-07-010070", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78245r5_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72125r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71893" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n# grep -i idle-delay /etc/dconf/db/local.d/*\nidle-delay=uint32 900\n\nIf the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n\n[org/gnome/desktop/session]\n# Set the lock time out to 900 seconds before the session is considered idle\nidle-delay=uint32 900\n\nYou must include the \"uint32\" along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." - } + "descs": {} }, "V-71897": { "tags": { - "check_id": "C-72129r3_chk", - "severity": "medium", - "gid": "V-71897", - "rid": "SV-86521r3_rule", - "stig_id": "RHEL-07-010090", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78249r3_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72129r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71897" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must have the screen package installed.", - "desc": "[\": A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe screen and tmux packages allow for a session lock to be implemented and configured.\\nfalse\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n# yum list installed screen\nscreen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n#yum list installed tmux\ntmux-1.8-4.el7.x86_64.rpm \n\nIf either the screen package or the tmux package is not installed, this is a finding.", - "fix": "Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n# yum install screen \n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n#yum install tmux" - } + "descs": {} }, "V-71899": { "tags": { - "check_id": "C-72131r4_chk", - "severity": "medium", - "gid": "V-71899", - "rid": "SV-86523r5_rule", - "stig_id": "RHEL-07-010100", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78251r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72131r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71899" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n\nidle-activation-enabled=true\n\nIf \"idle-activation-enabled\" is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable screensaver locking after 15 minutes of inactivity:\n\n[org/gnome/desktop/screensaver]\n\nidle-activation-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." - } + "descs": {} }, "V-71901": { "tags": { - "check_id": "C-72133r5_chk", - "severity": "medium", - "gid": "V-71901", - "rid": "SV-86525r3_rule", - "stig_id": "RHEL-07-010110", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78253r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72133r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71901" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n# grep -i lock-delay /etc/dconf/db/local.d/*\nlock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable session locking when a screensaver is activated:\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." - } + "descs": {} }, "V-71903": { "tags": { - "check_id": "C-72135r3_chk", - "severity": "medium", - "gid": "V-71903", - "rid": "SV-86527r3_rule", - "stig_id": "RHEL-07-010120", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-78255r1_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72135r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71903" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Note: The value to require a number of upper-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of \"ucredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the \"ucredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nucredit = -1" - } + "descs": {} }, "V-71905": { "tags": { - "check_id": "C-72137r5_chk", - "severity": "medium", - "gid": "V-71905", - "rid": "SV-86529r5_rule", - "stig_id": "RHEL-07-010130", - "gtitle": "SRG-OS-000070-GPOS-00038", - "fix_id": "F-78257r6_fix", - "cci": [ - "CCI-000193" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72137r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71905" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Note: The value to require a number of lower-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep lcredit /etc/security/pwquality.conf \nlcredit = -1 \n\nIf the value of \"lcredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the system to require at least one lower-case character when creating or changing a password.\n\nAdd or modify the following line \nin \"/etc/security/pwquality.conf\":\n\nlcredit = -1" - } + "descs": {} }, "V-71907": { "tags": { - "check_id": "C-72139r2_chk", - "severity": "medium", - "gid": "V-71907", - "rid": "SV-86531r3_rule", - "stig_id": "RHEL-07-010140", - "gtitle": "SRG-OS-000071-GPOS-00039", - "fix_id": "F-78259r1_fix", - "cci": [ - "CCI-000194" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72139r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71907" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Note: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep dcredit /etc/security/pwquality.conf \ndcredit = -1 \n\nIf the value of \"dcredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1" - } + "descs": {} }, "V-71909": { "tags": { - "check_id": "C-72141r1_chk", - "severity": "medium", - "gid": "V-71909", - "rid": "SV-86533r2_rule", - "stig_id": "RHEL-07-010150", - "gtitle": "SRG-OS-000266-GPOS-00101", - "fix_id": "F-78261r2_fix", - "cci": [ - "CCI-001619" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72141r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71909" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of \"ocredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nocredit = -1" - } + "descs": {} }, "V-71911": { "tags": { - "check_id": "C-72143r1_chk", - "severity": "medium", - "gid": "V-71911", - "rid": "SV-86535r2_rule", - "stig_id": "RHEL-07-010160", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78263r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72143r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71911" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "The \"difok\" option sets the number of characters in a password that must not be present in the old password.\n\nCheck for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", this is a finding.", - "fix": "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8" - } + "descs": {} }, "V-71913": { "tags": { - "check_id": "C-72145r1_chk", - "severity": "medium", - "gid": "V-71913", - "rid": "SV-86537r2_rule", - "stig_id": "RHEL-07-010170", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78265r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72145r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71913" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).\n\nCheck for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\", this is a finding.", - "fix": "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4" - } + "descs": {} }, "V-71915": { "tags": { - "check_id": "C-72147r2_chk", - "severity": "medium", - "gid": "V-71915", - "rid": "SV-86539r3_rule", - "stig_id": "RHEL-07-010180", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78267r2_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72147r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71915" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.\n\nCheck for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\", this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3" - } + "descs": {} }, "V-71917": { "tags": { - "check_id": "C-72149r1_chk", - "severity": "medium", - "gid": "V-71917", - "rid": "SV-86541r2_rule", - "stig_id": "RHEL-07-010190", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78269r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72149r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71917" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.\n\nCheck for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4" - } + "descs": {} }, "V-71919": { "tags": { - "check_id": "C-72151r3_chk", - "severity": "medium", - "gid": "V-71919", - "rid": "SV-86543r3_rule", - "stig_id": "RHEL-07-010200", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78271r4_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72151r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71919" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nOutcome should look like following:\n/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nIf the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other than SHA512 to be used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." - } + "descs": {} }, "V-71921": { "tags": { - "check_id": "C-72153r1_chk", - "severity": "medium", - "gid": "V-71921", - "rid": "SV-86545r2_rule", - "stig_id": "RHEL-07-010210", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78273r1_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72153r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71921" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/login.defs\":\n\nENCRYPT_METHOD SHA512" - } + "descs": {} }, "V-71923": { "tags": { - "check_id": "C-72155r3_chk", - "severity": "medium", - "gid": "V-71923", - "rid": "SV-86547r3_rule", - "stig_id": "RHEL-07-010220", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78275r1_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72155r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71923" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is \"SHA512\".\n\nCheck that the system is configured to create \"SHA512\" hashed passwords with the following command:\n\n# grep -i sha512 /etc/libuser.conf \n\ncrypt_style = sha512\n\nIf the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not exist, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/libuser.conf\" in the [defaults] section: \n\ncrypt_style = sha512" - } + "descs": {} }, "V-71925": { "tags": { - "check_id": "C-72157r1_chk", - "severity": "medium", - "gid": "V-71925", - "rid": "SV-86549r2_rule", - "stig_id": "RHEL-07-010230", - "gtitle": "SRG-OS-000075-GPOS-00043", - "fix_id": "F-78277r1_fix", - "cci": [ - "CCI-000198" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72157r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71925" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.", - "desc": "[\"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.\n\nCheck for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command: \n\n# grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MIN_DAYS 1" - } + "descs": {} }, "V-71927": { "tags": { - "check_id": "C-72159r2_chk", - "severity": "medium", - "gid": "V-71927", - "rid": "SV-86551r2_rule", - "stig_id": "RHEL-07-010240", - "gtitle": "SRG-OS-000075-GPOS-00043", - "fix_id": "F-78279r1_fix", - "cci": [ - "CCI-000198" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72159r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71927" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.", - "desc": "[\"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false\"]", - "impact": 0.5, - "descs": { - "check": "Check whether the minimum time period between password changes for each user account is one day or greater.\n\n# awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n\n# chage -m 1 [user]" - } + "descs": {} }, "V-71929": { "tags": { - "check_id": "C-72161r2_chk", - "severity": "medium", - "gid": "V-71929", - "rid": "SV-86553r2_rule", - "stig_id": "RHEL-07-010250", - "gtitle": "SRG-OS-000076-GPOS-00044", - "fix_id": "F-78281r1_fix", - "cci": [ - "CCI-000199" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72161r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71929" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.", - "desc": "[\"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n\nCheck for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MAX_DAYS 60" - } + "descs": {} }, "V-71931": { "tags": { - "check_id": "C-72163r3_chk", - "severity": "medium", - "gid": "V-71931", - "rid": "SV-86555r3_rule", - "stig_id": "RHEL-07-010260", - "gtitle": "SRG-OS-000076-GPOS-00044", - "fix_id": "F-78283r1_fix", - "cci": [ - "CCI-000199" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72163r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71931" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.", - "desc": "[\"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Check whether the maximum time period for existing passwords is restricted to 60 days.\n\n# awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\n# chage -M 60 [user]" - } + "descs": {} }, "V-71933": { "tags": { - "check_id": "C-72165r2_chk", - "severity": "medium", - "gid": "V-71933", - "rid": "SV-86557r3_rule", - "stig_id": "RHEL-07-010270", - "gtitle": "SRG-OS-000077-GPOS-00045", - "fix_id": "F-78285r3_fix", - "cci": [ - "CCI-000200" - ], - "nist": [ - "IA-5 (1) (e)" - ] + "check_id__added": "C-72165r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71933" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.", - "desc": "[\"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system prohibits password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the following command:\n\n# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", - "fix": "Configure the operating system to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n \nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." - } + "descs": {} }, "V-71935": { "tags": { - "check_id": "C-72167r1_chk", - "severity": "medium", - "gid": "V-71935", - "rid": "SV-86559r2_rule", - "stig_id": "RHEL-07-010280", - "gtitle": "SRG-OS-000078-GPOS-00046", - "fix_id": "F-78287r1_fix", - "cci": [ - "CCI-000205" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72167r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71935" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.", - "desc": "[\"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\\n\\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.", - "fix": "Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15" - } + "descs": {} }, "V-71937": { "tags": { - "check_id": "C-72169r2_chk", - "severity": "high", - "gid": "V-71937", - "rid": "SV-86561r3_rule", - "stig_id": "RHEL-07-010290", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78289r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72169r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71937" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", - "impact": 0.7, - "descs": { - "check": "To verify that null passwords cannot be used, run the following command: \n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." - } + "descs": {} }, "V-71939": { "tags": { - "check_id": "C-72171r2_chk", - "severity": "high", - "gid": "V-71939", - "rid": "SV-86563r3_rule", - "stig_id": "RHEL-07-010300", - "gtitle": "SRG-OS-000106-GPOS-00053", - "fix_id": "F-78291r2_fix", - "cci": [ - "CCI-000766" - ], - "nist": [ - "IA-2 (2)" - ] + "check_id__added": "C-72171r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71939" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.7, - "descs": { - "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\nPermitEmptyPasswords no\n\nIf no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n\nIf the required value is not set, this is a finding.", - "fix": "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitEmptyPasswords no\n\nThe SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords." - } + "descs": {} }, "V-71941": { "tags": { - "check_id": "C-72173r2_chk", - "severity": "medium", - "gid": "V-71941", - "rid": "SV-86565r2_rule", - "stig_id": "RHEL-07-010310", - "gtitle": "SRG-OS-000118-GPOS-00060", - "fix_id": "F-78293r1_fix", - "cci": [ - "CCI-000795" - ], - "nist": [ - "IA-4 e" - ] + "check_id__added": "C-72173r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71941" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.", - "desc": "[\"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\\n\\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false\"]", - "impact": 0.5, - "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:\n\n# grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the value is not set to \"0\", is commented out, or is not defined, this is a finding.", - "fix": "Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.\n\nAdd the following line to \"/etc/default/useradd\" (or modify the line to have the required value):\n\nINACTIVE=0" - } + "descs": {} }, "V-71943": { "tags": { - "check_id": "C-72175r5_chk", - "severity": "medium", - "gid": "V-71943", - "rid": "SV-86567r5_rule", - "stig_id": "RHEL-07-010320", - "gtitle": "SRG-OS-000329-GPOS-00128", - "fix_id": "F-78295r5_fix", - "cci": [ - "CCI-000044", - "CCI-002236", - "CCI-002237", - "CCI-002238" - ], - "nist": [ - "AC-7 a", - "AC-7 b", - "AC-7 b", - "AC-7 b" - ] + "check_id__added": "C-72175r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71943" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\\n\\nSatisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005false\"]", - "impact": 0.5, - "descs": { - "check": "Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n# grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \n\nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.", - "fix": "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." - } + "descs": {} }, "V-71945": { "tags": { - "check_id": "C-72177r4_chk", - "severity": "medium", - "gid": "V-71945", - "rid": "SV-86569r4_rule", - "stig_id": "RHEL-07-010330", - "gtitle": "SRG-OS-000329-GPOS-00128", - "fix_id": "F-78297r3_fix", - "cci": [ - "CCI-002238" - ], - "nist": [ - "AC-7 b" - ] + "check_id__added": "C-72177r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71945" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\\n\\nSatisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\n# grep pam_faillock.so /etc/pam.d/password-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding.", - "fix": "Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." - } + "descs": {} }, "V-71947": { "tags": { - "check_id": "C-72179r3_chk", - "severity": "medium", - "gid": "V-71947", - "rid": "SV-86571r3_rule", - "stig_id": "RHEL-07-010340", - "gtitle": "SRG-OS-000373-GPOS-00156", - "fix_id": "F-78299r2_fix", - "cci": [ - "CCI-002038" - ], - "nist": [ - "IA-11" - ] + "check_id__added": "C-72179r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71947" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.", - "desc": "[\"Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \\n\\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.\\n\\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158false\"]", - "impact": 0.5, - "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"NOPASSWD\" tag, this is a finding.", - "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n# visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file. \n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n# grep -i nopasswd /etc/sudoers.d/*\n\nRemove any occurrences of \"NOPASSWD\" tags in the file." - } + "descs": {} }, "V-71949": { "tags": { - "check_id": "C-72181r5_chk", - "severity": "medium", - "gid": "V-71949", - "rid": "SV-86573r3_rule", - "stig_id": "RHEL-07-010350", - "gtitle": "SRG-OS-000373-GPOS-00156", - "fix_id": "F-78301r3_fix", - "cci": [ - "CCI-002038" - ], - "nist": [ - "IA-11" - ] + "check_id__added": "C-72181r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71949" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.", - "desc": "[\"Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \\n\\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\\n\\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system requires users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"!authenticate\" tag, this is a finding.", - "fix": "Configure the operating system to require users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n\n# visudo\nRemove any occurrences of \"!authenticate\" tags in the file.\n\nCheck the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\nRemove any occurrences of \"!authenticate\" tags in the file(s)." - } + "descs": {} }, "V-71951": { "tags": { - "check_id": "C-72183r2_chk", - "severity": "medium", - "gid": "V-71951", - "rid": "SV-86575r2_rule", - "stig_id": "RHEL-07-010430", - "gtitle": "SRG-OS-000480-GPOS-00226", - "fix_id": "F-78303r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72183r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71951" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.", - "desc": "[\"Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\\n\\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.\n\nCheck the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n\n# grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.\n\nModify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n\nFAIL_DELAY 4" - } + "descs": {} }, "V-71953": { "tags": { - "check_id": "C-72185r1_chk", - "severity": "high", - "gid": "V-71953", - "rid": "SV-86577r2_rule", - "stig_id": "RHEL-07-010440", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78305r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72185r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71953" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", "impact": 0.7, - "descs": { - "check": "Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i automaticloginenable /etc/gdm/custom.conf\nAutomaticLoginEnable=false\n\nIf the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nAutomaticLoginEnable=false" - } + "descs": {} }, "V-71955": { "tags": { - "check_id": "C-72187r2_chk", - "severity": "high", - "gid": "V-71955", - "rid": "SV-86579r3_rule", - "stig_id": "RHEL-07-010450", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78307r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72187r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71955" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", "impact": 0.7, - "descs": { - "check": "Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i timedloginenable /etc/gdm/custom.conf\nTimedLoginEnable=false\n\nIf the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nTimedLoginEnable=false" - } + "descs": {} }, "V-71957": { "tags": { - "check_id": "C-72189r1_chk", - "severity": "medium", - "gid": "V-71957", - "rid": "SV-86581r3_rule", - "stig_id": "RHEL-07-010460", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78309r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72189r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71957" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system does not allow users to override environment variables to the SSH daemon.\n\nCheck for the value of the \"PermitUserEnvironment\" keyword with the following command:\n\n# grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\nIf the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow users to override environment variables to the SSH daemon.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the value to \"no\":\n\nPermitUserEnvironment no\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-71959": { "tags": { - "check_id": "C-72191r1_chk", - "severity": "medium", - "gid": "V-71959", - "rid": "SV-86583r3_rule", - "stig_id": "RHEL-07-010470", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78311r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72191r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71959" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n\nCheck for the value of the \"HostbasedAuthentication\" keyword with the following command:\n\n# grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the value to \"no\":\n\nHostbasedAuthentication no\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-71961": { "tags": { - "check_id": "C-72193r6_chk", - "severity": "high", - "gid": "V-71961", - "rid": "SV-86585r6_rule", - "stig_id": "RHEL-07-010480", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-78313r3_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-72193r6_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71961" + "DPMS Target Red Hat 7" ], - "title": "Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", "impact": 0.7, - "descs": { - "check": "For systems that use UEFI, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -i password_pbkdf2 /boot/grub2/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg" - } + "descs": {} }, "V-71963": { "tags": { - "check_id": "C-72195r4_chk", - "severity": "high", - "gid": "V-71963", - "rid": "SV-86587r4_rule", - "stig_id": "RHEL-07-010490", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-78315r3_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-72195r4_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71963" - ], - "title": "Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", "impact": 0.7, - "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -i password /boot/efi/EFI/redhat/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg" - } + "descs": {} }, "V-71965": { "tags": { - "check_id": "C-72197r3_chk", - "severity": "medium", - "gid": "V-71965", - "rid": "SV-86589r2_rule", - "stig_id": "RHEL-07-010500", - "gtitle": "SRG-OS-000104-GPOS-00051", - "fix_id": "F-78317r3_fix", - "cci": [ - "CCI-000766" - ], - "nist": [ - "IA-2 (2)" - ] + "check_id__added": "C-72197r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71965" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.", - "desc": "[\"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\\n\\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:\\n\\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; \\n\\nand\\n\\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\\n\\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf \"smartcard module\" is blank, this is a finding.", - "fix": "Configure the operating system to require individuals to be authenticated with a multifactor authenticator.\n\nEnable smartcard logons with the following commands:\n\n# authconfig --enablesmartcard --smartcardaction=0 --update\n# authconfig --enablerequiresmartcard -update\n\nModify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n\n#/usr/X11R6/bin/xscreensaver-command -lock\n\nModify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required." - } + "descs": {} }, "V-71967": { "tags": { - "check_id": "C-72199r1_chk", - "severity": "high", - "gid": "V-71967", - "rid": "SV-86591r2_rule", - "stig_id": "RHEL-07-020000", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78319r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72199r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71967" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\\n\\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\\n\\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false\"]", - "impact": 0.7, - "descs": { - "check": "Check to see if the rsh-server package is installed with the following command:\n\n# yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:\n\n# yum remove rsh-server" - } + "descs": {} }, "V-71969": { "tags": { - "check_id": "C-72201r1_chk", - "severity": "high", - "gid": "V-71969", - "rid": "SV-86593r2_rule", - "stig_id": "RHEL-07-020010", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78321r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72201r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71969" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have the ypserv package installed.", - "desc": "[\"Removing the \\\"ypserv\\\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false\"]", - "impact": 0.7, - "descs": { - "check": "The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nCheck to see if the \"ypserve\" package is installed with the following command:\n\n# yum list installed ypserv\n\nIf the \"ypserv\" package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package from the system with the following command:\n\n# yum remove ypserv" - } + "descs": {} }, "V-71971": { "tags": { - "check_id": "C-72203r3_chk", + "check_id__added": "C-72203r3_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-71971", "rid": "SV-86595r3_rule", - "stig_id": "RHEL-07-020020", - "gtitle": "SRG-OS-000324-GPOS-00125", - "fix_id": "F-78323r2_fix", - "cci": [ - "CCI-002165", - "CCI-002235" - ], - "nist": [ - "AC-3 (4)", - "AC-6 (10)" - ] + "fix_id": "F-78323r2_fix" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71971" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", - "desc": "[\"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\\n\\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.false\"]", - "impact": 0.5, "descs": { "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nGet a list of authorized users (other than System Administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n# semanage login -l | more\n\nLogin Name SELinux User MLS/MCS Range Service\n__default__ user_u s0-s0:c0.c1023 *\nroot unconfined_u s0-s0:c0.c1023 *\nsystem_u system_u s0-s0:c0.c1023 *\njoe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized non-administrative users must be mapped to the \"user_u\" role. \n\nIf they are not mapped in this way, this is a finding.", "fix": "Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role: \n\n#semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n#semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n#semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n#semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n# semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n# semanage login -m -s user_u " @@ -2490,5581 +813,1950 @@ }, "V-71973": { "tags": { - "check_id": "C-72205r2_chk", - "severity": "medium", - "gid": "V-71973", - "rid": "SV-86597r2_rule", - "stig_id": "RHEL-07-020030", - "gtitle": "SRG-OS-000363-GPOS-00150", - "fix_id": "F-78325r2_fix", - "cci": [ - "CCI-001744" - ], - "nist": [ - "CM-3 (5)" - ] + "check_id__added": "C-72205r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71973" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.", - "desc": "[\"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\\n\\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.", - "fix": "Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: \n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" - } + "descs": {} }, "V-71975": { "tags": { - "check_id": "C-72207r2_chk", - "severity": "medium", - "gid": "V-71975", - "rid": "SV-86599r2_rule", - "stig_id": "RHEL-07-020040", - "gtitle": "SRG-OS-000363-GPOS-00150", - "fix_id": "F-78327r3_fix", - "cci": [ - "CCI-001744" - ], - "nist": [ - "CM-3 (5)" - ] + "check_id__added": "C-72207r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71975" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.", - "desc": "[\"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\\n\\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system. \n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 32 Jul 1 2011 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.", - "fix": "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. \n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. \n\n# more /etc/cron.daily/aide\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" - } + "descs": {} }, "V-71977": { "tags": { - "check_id": "C-72209r1_chk", - "severity": "high", - "gid": "V-71977", - "rid": "SV-86601r2_rule", - "stig_id": "RHEL-07-020050", - "gtitle": "SRG-OS-000366-GPOS-00153", - "fix_id": "F-78329r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72209r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71977" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.", - "desc": "[\"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\\n\\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\\n\\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of packages from a repository prior to install with the following command:\n\n# grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. \n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\ngpgcheck=1" - } + "descs": {} }, "V-71979": { "tags": { - "check_id": "C-72211r1_chk", - "severity": "high", - "gid": "V-71979", - "rid": "SV-86603r2_rule", - "stig_id": "RHEL-07-020060", - "gtitle": "SRG-OS-000366-GPOS-00153", - "fix_id": "F-78331r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72211r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71979" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.", - "desc": "[\"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\\n\\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\\n\\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of local packages prior to install with the following command:\n\n# grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\nIf \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. \n\nIf there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of local packages prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\nlocalpkg_gpgcheck=1" - } + "descs": {} }, "V-71983": { "tags": { - "check_id": "C-72215r4_chk", - "severity": "medium", - "gid": "V-71983", - "rid": "SV-86607r4_rule", - "stig_id": "RHEL-07-020100", - "gtitle": "SRG-OS-000114-GPOS-00059", - "fix_id": "F-78335r4_fix", - "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" - ], - "nist": [ - "CM-6 b", - "IA-3", - "IA-3" - ] + "check_id__added": "C-72215r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71983" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.", - "desc": "[\"USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, - "descs": { - "check": "If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.\n\nVerify the operating system disables the ability to load the USB Storage kernel module.\n\n# grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall usb-storage /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\nblacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/usb-storage.conf\n\nAdd the following line to the created file:\n\ninstall usb-storage /bin/true\n\nConfigure the operating system to disable the ability to use USB mass storage devices.\n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist usb-storage" - } + "descs": {} }, "V-71985": { "tags": { - "check_id": "C-72217r1_chk", - "severity": "medium", - "gid": "V-71985", - "rid": "SV-86609r2_rule", - "stig_id": "RHEL-07-020110", - "gtitle": "SRG-OS-000114-GPOS-00059", - "fix_id": "F-78337r2_fix", - "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" - ], - "nist": [ - "CM-6 b", - "IA-3", - "IA-3" - ] + "check_id__added": "C-72217r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71985" - ], - "title": "The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.", - "desc": "[\"Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\nautofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\nIf the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following commands:\n\n# systemctl stop autofs\n# systemctl disable autofs\n\nIf \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO." - } + "descs": {} }, "V-71987": { "tags": { - "check_id": "C-72219r1_chk", - "severity": "low", - "gid": "V-71987", - "rid": "SV-86611r2_rule", - "stig_id": "RHEL-07-020200", - "gtitle": "SRG-OS-000437-GPOS-00194", - "fix_id": "F-78339r1_fix", - "cci": [ - "CCI-002617" - ], - "nist": [ - "SI-2 (6)" - ] + "check_id__added": "C-72219r1_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71987" - ], - "title": "The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.", - "desc": "[\"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify the operating system removes all software components after updated versions have been installed.\n\nCheck if yum is configured to remove unneeded packages with the following command:\n\n# grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding.", - "fix": "Configure the operating system to remove all software components after updated versions have been installed.\n\nSet the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n\nclean_requirements_on_remove=1" - } + "descs": {} }, "V-71989": { "tags": { - "check_id": "C-72221r6_chk", - "severity": "high", - "gid": "V-71989", - "rid": "SV-86613r3_rule", - "stig_id": "RHEL-07-020210", - "gtitle": "SRG-OS-000445-GPOS-00199", - "fix_id": "F-78341r2_fix", - "cci": [ - "CCI-002165", - "CCI-002696" - ], - "nist": [ - "AC-3 (4)", - "SI-6 a" - ] + "check_id__added": "C-72221r6_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71989" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must enable SELinux.", - "desc": "[\"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\\n\\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false\"]", - "impact": 0.7, - "descs": { - "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n\n# getenforce\nEnforcing\n\nIf \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUX=enforcing\n\nA reboot is required for the changes to take effect." - } + "descs": {} }, "V-71991": { "tags": { - "check_id": "C-72223r8_chk", - "severity": "high", - "gid": "V-71991", - "rid": "SV-86615r5_rule", - "stig_id": "RHEL-07-020220", - "gtitle": "SRG-OS-000445-GPOS-00199", - "fix_id": "F-78343r2_fix", - "cci": [ - "CCI-002165", - "CCI-002696" - ], - "nist": [ - "AC-3 (4)", - "SI-6 a" - ] + "check_id__added": "C-72223r8_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71991" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.", - "desc": "[\"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\\n\\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false\"]", - "impact": 0.7, - "descs": { - "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n\n# sestatus\n\nSELinux status: enabled\n\nSELinuxfs mount: /selinux\n\nSELinux root directory: /etc/selinux\n\nLoaded policy name: targeted\n\nCurrent mode: enforcing\n\nMode from config file: enforcing\n\nPolicy MLS status: enabled\n\nPolicy deny_unknown status: allowed\n\nMax kernel policy version: 28\n\nIf the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\nVerify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n\n# grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\nSELINUXTYPE = targeted\n\nIf no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUXTYPE=targeted\n\nA reboot is required for the changes to take effect." - } + "descs": {} }, "V-71993": { "tags": { - "check_id": "C-72225r5_chk", - "severity": "high", - "gid": "V-71993", - "rid": "SV-86617r5_rule", - "stig_id": "RHEL-07-020230", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78345r6_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72225r5_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71993" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.", - "desc": "[\"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n# systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:\n\n# systemctl mask ctrl-alt-del.target" - } + "descs": {} }, "V-71995": { "tags": { - "check_id": "C-72227r1_chk", - "severity": "medium", - "gid": "V-71995", - "rid": "SV-86619r2_rule", - "stig_id": "RHEL-07-020240", - "gtitle": "SRG-OS-000480-GPOS-00228", - "fix_id": "F-78347r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72227r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-71995" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.", - "desc": "[\"Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nCheck for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.", - "fix": "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n\nUMASK 077" - } + "descs": {} }, "V-71997": { "tags": { - "check_id": "C-72229r11_chk", - "severity": "high", - "gid": "V-71997", - "rid": "SV-86621r5_rule", - "stig_id": "RHEL-07-020250", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78349r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72229r11_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71997" - ], - "title": "The Red Hat Enterprise Linux operating system must be a vendor supported release.", - "desc": "[\"An operating system release is considered \\\"supported\\\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 7.4 (Maipo)\n\nCurrent End of Life for RHEL 7.1 is 31 March 2017.\n\nCurrent End of Life for RHEL 7.2 is 30 November 2017.\n\nCurrent End of Life for RHEL 7.3 is 30 November 2018.\n\nCurrent End of Life for RHEL 7.4 is 31 August 2019.\n\nCurrent End of Life for RHEL 7.5 is 30 April 2020.\n\nCurrent End of Life for RHEL 7.6 is 31 October 2020.\n\nCurrent End of Life for RHEL 7.7 is 30 August 2021.\n\nIf the release is not supported by the vendor, this is a finding.", - "fix": "Upgrade to a supported version of the operating system." - } + "descs": {} }, "V-71999": { "tags": { - "check_id": "C-72231r3_chk", - "severity": "medium", - "gid": "V-71999", - "rid": "SV-86623r4_rule", - "stig_id": "RHEL-07-020260", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78351r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72231r3_chk", + "documentable__added": false }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-71999" - ], - "title": "The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.", - "desc": "[\"Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1 \n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21 \n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates." + "check": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1 \n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21 \n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding." } }, "V-72001": { "tags": { - "check_id": "C-72233r1_chk", - "severity": "medium", - "gid": "V-72001", - "rid": "SV-86625r2_rule", - "stig_id": "RHEL-07-020270", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78353r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72233r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72001" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have unnecessary accounts.", - "desc": "[\"Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all accounts on the system are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.", - "fix": "Configure the system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system." - } + "descs": {} }, "V-72003": { "tags": { - "check_id": "C-72235r1_chk", - "severity": "low", - "gid": "V-72003", - "rid": "SV-86627r2_rule", - "stig_id": "RHEL-07-020300", - "gtitle": "SRG-OS-000104-GPOS-00051", - "fix_id": "F-78355r1_fix", - "cci": [ - "CCI-000764" - ], - "nist": [ - "IA-2" - ] + "check_id__added": "C-72235r1_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72003" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.", - "desc": "[\"If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n\nCheck that all referenced GIDs exist with the following command:\n\n# pwck -r\n\nIf GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.", - "fix": "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\" file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the \"/etc/passwd\" file to a group that exists in \"/etc/group\"." - } + "descs": {} }, "V-72005": { "tags": { - "check_id": "C-72237r1_chk", - "severity": "high", - "gid": "V-72005", - "rid": "SV-86629r2_rule", - "stig_id": "RHEL-07-020310", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78357r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72237r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72005" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.", - "desc": "[\"If an account other than root also has a User Identifier (UID) of \\\"0\\\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \\\"0\\\" afford an opportunity for potential intruders to guess a password for a privileged account.false\"]", - "impact": 0.7, - "descs": { - "check": "Check the system for duplicate UID \"0\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nIf any accounts other than root have a UID of \"0\", this is a finding.", - "fix": "Change the UID of any account on the system, other than root, that has a UID of \"0\". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than \"0\" but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned." - } + "descs": {} }, "V-72007": { "tags": { - "check_id": "C-72239r2_chk", - "severity": "medium", - "gid": "V-72007", - "rid": "SV-86631r3_rule", - "stig_id": "RHEL-07-020320", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78359r1_fix", - "cci": [ - "CCI-002165" - ], - "nist": [ - "AC-3 (4)" - ] + "check_id__added": "C-72239r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72007" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.", - "desc": "[\"Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier \\\"UID\\\" as the UID of the un-owned files.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all files and directories on the system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the \"chown\" command:\n\n# chown " - } + "descs": {} }, "V-72009": { "tags": { - "check_id": "C-72241r3_chk", - "severity": "medium", - "gid": "V-72009", - "rid": "SV-86633r3_rule", - "stig_id": "RHEL-07-020330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78361r1_fix", - "cci": [ - "CCI-002165" - ], - "nist": [ - "AC-3 (4)" - ] + "check_id__added": "C-72241r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72009" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.", - "desc": "[\"Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all files and directories on the system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the \"chgrp\" command:\n\n# chgrp " - } + "descs": {} }, "V-72011": { "tags": { - "check_id": "C-72243r1_chk", - "severity": "medium", - "gid": "V-72011", - "rid": "SV-86635r2_rule", - "stig_id": "RHEL-07-020600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78363r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72243r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72011" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file.", - "desc": "[\"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify local interactive users on the system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n# pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'smithj': directory '/home/smithj' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n# cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\nIf any interactive users do not have a home directory assigned, this is a finding.", - "fix": "Assign home directories to all local interactive users that currently do not have a home directory assigned." - } + "descs": {} }, "V-72013": { "tags": { - "check_id": "C-72245r1_chk", - "severity": "medium", - "gid": "V-72013", - "rid": "SV-86637r2_rule", - "stig_id": "RHEL-07-020610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78365r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72245r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72013" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.", - "desc": "[\"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all local interactive users on the system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to assign home directories to all new local interactive users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes" - } + "descs": {} }, "V-72015": { "tags": { - "check_id": "C-72247r2_chk", - "severity": "medium", - "gid": "V-72015", - "rid": "SV-86639r2_rule", - "stig_id": "RHEL-07-020620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78367r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72247r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72015" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file.", - "desc": "[\"If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive non-privileged users on the system with the following command:\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n\nsmithj:1001:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not defined, this is a finding.", - "fix": "Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n\n# mkdir /home/smithj \n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj" - } + "descs": {} }, "V-72017": { "tags": { - "check_id": "C-72249r2_chk", - "severity": "medium", - "gid": "V-72017", - "rid": "SV-86641r3_rule", - "stig_id": "RHEL-07-020630", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78369r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72249r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72017" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.", - "desc": "[\"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.", - "fix": "Change the mode of interactive user's home directories to \"0750\". To change the mode of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\".\n\n# chmod 0750 /home/smithj" - } + "descs": {} }, "V-72019": { "tags": { - "check_id": "C-72251r6_chk", - "severity": "medium", - "gid": "V-72019", - "rid": "SV-86643r5_rule", - "stig_id": "RHEL-07-020640", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78371r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72251r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72019" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.", - "desc": "[\"If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.", - "fix": "Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj" - } + "descs": {} }, "V-72021": { "tags": { - "check_id": "C-72253r8_chk", - "severity": "medium", - "gid": "V-72021", - "rid": "SV-86645r5_rule", - "stig_id": "RHEL-07-020650", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78373r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72253r8_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72021" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.", - "desc": "[\"If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nCheck the user's primary group with the following command:\n\n# grep users /etc/group\n\nusers:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user's home directory to the group found in \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj" - } + "descs": {} }, "V-72023": { "tags": { - "check_id": "C-72255r3_chk", - "severity": "medium", - "gid": "V-72023", - "rid": "SV-86647r2_rule", - "stig_id": "RHEL-07-020660", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78375r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72255r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72023" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.", - "desc": "[\"If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all files and directories in a local interactive user's home directory are owned by the user.\n\nCheck the owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the home directory user, this is a finding.", - "fix": "Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/" - } + "descs": {} }, "V-72025": { "tags": { - "check_id": "C-72257r3_chk", - "severity": "medium", - "gid": "V-72025", - "rid": "SV-86649r2_rule", - "stig_id": "RHEL-07-020670", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78377r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72257r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72025" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.", - "desc": "[\"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:\n\n# grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.", - "fix": "Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chgrp users /home/smithj/" - } + "descs": {} }, "V-72027": { "tags": { - "check_id": "C-72259r1_chk", - "severity": "medium", - "gid": "V-72027", - "rid": "SV-86651r2_rule", - "stig_id": "RHEL-07-020680", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78379r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72259r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72027" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.", - "desc": "[\"If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\n\nCheck the mode of all non-initialization files in a local interactive user home directory with the following command:\n\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with a mode more permissive than \"0750\", this is a finding.", - "fix": "Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chmod 0750 /home/smithj/" - } + "descs": {} }, "V-72029": { "tags": { - "check_id": "C-72261r6_chk", + "check_id__added": "C-72261r6_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72029", - "rid": "SV-86653r4_rule", - "stig_id": "RHEL-07-020690", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78381r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "rid": "SV-86653r4_rule" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72029" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.", - "desc": "[\"Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, "descs": { - "check": "Verify the local initialization files of all local interactive users are owned by that user.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not owned by that user or root, this is a finding.", - "fix": "Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/.[^.]*" + "check": "Verify the local initialization files of all local interactive users are owned by that user.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not owned by that user or root, this is a finding." } }, "V-72031": { "tags": { - "check_id": "C-72263r7_chk", - "severity": "medium", - "gid": "V-72031", - "rid": "SV-86655r4_rule", - "stig_id": "RHEL-07-020700", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78383r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72263r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72031" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.", - "desc": "[\"Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of \"users\".\n\n# cut -d: -f 1,4,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\n# grep 1000 /etc/group\nusers:x:1000:smithj,jonesj,jacksons \n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the group owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the user. To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj/.[^.]*" - } + "descs": {} }, "V-72033": { "tags": { - "check_id": "C-72265r4_chk", - "severity": "medium", - "gid": "V-72033", - "rid": "SV-86657r3_rule", - "stig_id": "RHEL-07-020710", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78385r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72265r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72033" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.", - "desc": "[\"Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n-rwxr----- 1 smithj users 497 Jan 6 2007 .login\n-rwxr----- 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.", - "fix": "Set the mode of the local initialization files to \"0740\" with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# chmod 0740 /home/smithj/.[^.]*" - } + "descs": {} }, "V-72035": { "tags": { - "check_id": "C-72267r5_chk", - "severity": "medium", - "gid": "V-72035", - "rid": "SV-86659r4_rule", - "stig_id": "RHEL-07-020720", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78387r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72267r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72035" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.", - "desc": "[\"The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.\n\nCheck the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.", - "fix": "Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. \n\nIf a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO." - } + "descs": {} }, "V-72037": { "tags": { - "check_id": "C-72269r2_chk", - "severity": "medium", - "gid": "V-72037", - "rid": "SV-86661r2_rule", - "stig_id": "RHEL-07-020730", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78389r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72269r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72037" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.", - "desc": "[\"If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that local initialization files do not execute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization files with the following commands:\n\nNote: The example will be for a system that is configured to create users' home directories in the \"/home\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files, this is a finding.", - "fix": "Set the mode on files being executed by the local initialization files with the following command:\n\n# chmod 0755 " - } + "descs": {} }, "V-72039": { "tags": { - "check_id": "C-72271r1_chk", + "check_id__added": "C-72271r1_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72039", - "rid": "SV-86663r2_rule", - "stig_id": "RHEL-07-020900", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78391r1_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72039" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.", - "desc": "[\"If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.false\"]", - "impact": 0.5, "descs": { - "check": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.", - "fix": "Run the following command to determine which package owns the device file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " + "check": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding." } }, "V-72041": { "tags": { - "check_id": "C-72273r7_chk", - "severity": "medium", - "gid": "V-72041", - "rid": "SV-86665r4_rule", - "stig_id": "RHEL-07-021000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78393r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72273r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72041" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the user home directories with the following command:\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1001:/home/smithj\nthomasr:1002:/home/thomasr\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n \nIf a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home directories." - } + "descs": {} }, "V-72043": { "tags": { - "check_id": "C-72275r2_chk", - "severity": "medium", - "gid": "V-72043", - "rid": "SV-86667r2_rule", - "stig_id": "RHEL-07-021010", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78395r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72275r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72043" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media." - } + "descs": {} }, "V-72045": { "tags": { - "check_id": "C-72277r2_chk", - "severity": "medium", - "gid": "V-72045", - "rid": "SV-86669r2_rule", - "stig_id": "RHEL-07-021020", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78397r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72277r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72045" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a finding.\n\nVerify the NFS is mounted with the \"nosuid\" option:\n\n# mount | grep nfs | grep nosuid\nIf no results are returned, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via NFS." - } + "descs": {} }, "V-72047": { "tags": { - "check_id": "C-72279r4_chk", - "severity": "medium", - "gid": "V-72047", - "rid": "SV-86671r4_rule", - "stig_id": "RHEL-07-021030", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78399r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72279r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72047" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.", - "desc": "[\"If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\\n\\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify all world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \\;\ndrwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue\ndrwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm\ndrwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.", - "fix": "Change the group of the world-writable directories to root with the following command:\n\n# chgrp root " - } + "descs": {} }, "V-72049": { "tags": { - "check_id": "C-72281r1_chk", + "check_id__added": "C-72281r1_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72049", - "rid": "SV-86673r2_rule", - "stig_id": "RHEL-07-021040", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78401r3_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72049" - ], - "title": "The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.", - "desc": "[\"The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be \\\"0\\\". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n# grep -i umask /home/*/.*\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", - "fix": "Remove the umask statement from all local interactive user's initialization files. \n\nIf the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables." - } + "descs": {} }, "V-72051": { "tags": { - "check_id": "C-72283r2_chk", - "severity": "medium", - "gid": "V-72051", - "rid": "SV-86675r2_rule", - "stig_id": "RHEL-07-021100", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78403r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72283r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72051" - ], - "title": "The Red Hat Enterprise Linux operating system must have cron logging implemented.", - "desc": "[\"Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that \"rsyslog\" is configured to log cron events.\n\nCheck the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\ncron.* /var/log/cron.log\n\nIf the command does not return a response, check for cron logging all facilities by inspecting the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", - "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron.log" - } + "descs": {} }, "V-72053": { "tags": { - "check_id": "C-72285r2_chk", - "severity": "medium", - "gid": "V-72053", - "rid": "SV-86677r3_rule", - "stig_id": "RHEL-07-021110", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78405r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72285r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72053" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.", - "desc": "[\"If the owner of the \\\"cron.allow\\\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that the \"cron.allow\" file is owned by root.\n\nCheck the owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has an owner other than root, this is a finding.", - "fix": "Set the owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chown root /etc/cron.allow" - } + "descs": {} }, "V-72055": { "tags": { - "check_id": "C-72287r1_chk", - "severity": "medium", - "gid": "V-72055", - "rid": "SV-86679r2_rule", - "stig_id": "RHEL-07-021120", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78407r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72287r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72055" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.", - "desc": "[\"If the group owner of the \\\"cron.allow\\\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that the \"cron.allow\" file is group-owned by root.\n\nCheck the group owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has a group owner other than root, this is a finding.", - "fix": "Set the group owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chgrp root /etc/cron.allow" - } + "descs": {} }, "V-72057": { "tags": { - "check_id": "C-72289r1_chk", - "severity": "medium", - "gid": "V-72057", - "rid": "SV-86681r2_rule", - "stig_id": "RHEL-07-021300", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78409r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72289r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72057" - ], - "title": "The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.", - "desc": "[\"Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n# systemctl status kdump.service\nkdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\nkernel arming.\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the ISSO." - } + "descs": {} }, "V-72059": { "tags": { - "check_id": "C-72291r2_chk", - "severity": "low", - "gid": "V-72059", - "rid": "SV-86683r2_rule", - "stig_id": "RHEL-07-021310", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78411r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72291r2_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72059" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:\n\n#cut -d: -f 1,3,6,7 /etc/passwd | egrep \":[1-4][0-9]{3}\" | tr \":\" \"\\t\"\n\nadamsj /home/adamsj /bin/bash\njacksonm /home/jacksonm /bin/bash\nsmithj /home/smithj /bin/bash\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged interactive users with the following command:\n\nNote: The partition of /home is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.", - "fix": "Migrate the \"/home\" directory onto a separate file system/partition." - } + "descs": {} }, "V-72061": { "tags": { - "check_id": "C-72293r1_chk", - "severity": "low", - "gid": "V-72061", - "rid": "SV-86685r2_rule", - "stig_id": "RHEL-07-021320", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78413r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72293r1_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72061" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /var.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that a separate file system/partition has been created for \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the following command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", - "fix": "Migrate the \"/var\" path onto a separate file system." - } + "descs": {} }, "V-72063": { "tags": { - "check_id": "C-72295r10_chk", - "severity": "low", - "gid": "V-72063", - "rid": "SV-86687r6_rule", - "stig_id": "RHEL-07-021330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78415r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] - }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72063" - ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, - "descs": { - "check": "Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate file system.\n\n# grep /var/log/audit /etc/fstab\n\nIf no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file system, this is a finding.\n\nVerify that \"/var/log/audit\" is mounted on a separate file system:\n\n# mount | grep \"/var/log/audit\"\n\nIf no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.", - "fix": "Migrate the system audit data path onto a separate file system." - } - }, - "V-72065": { - "tags": { - "check_id": "C-72297r2_chk", - "severity": "low", - "gid": "V-72065", - "rid": "SV-86689r3_rule", - "stig_id": "RHEL-07-021340", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78417r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72295r10_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72065" + "descs": {} + }, + "V-72065": { + "tags": { + "check_id__added": "C-72297r2_chk", + "documentable__added": false, + "severity": "low" + }, + "refs": [ + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that a separate file system/partition has been created for \"/tmp\".\n\nCheck that a file system/partition has been created for \"/tmp\" with the following command:\n\n# systemctl is-enabled tmp.mount\nenabled\n\nIf the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount point:\n\n# grep -i /tmp /etc/fstab\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n\nIf \"tmp.mount\" service is not enabled and the \"/tmp\" directory is not defined in the fstab with a device and mount point, this is a finding.", - "fix": "Start the \"tmp.mount\" service with the following command:\n\n# systemctl enable tmp.mount\n \nOR\n\nEdit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point." - } + "descs": {} }, "V-72067": { "tags": { - "check_id": "C-72299r3_chk", + "check_id__added": "C-72299r3_chk", + "documentable__added": false, "severity": "high", - "gid": "V-72067", - "rid": "SV-86691r4_rule", - "stig_id": "RHEL-07-021350", - "gtitle": "SRG-OS-000033-GPOS-00014", - "fix_id": "F-78419r3_fix", - "cci": [ - "CCI-000068", - "CCI-001199", - "CCI-002450", - "CCI-002476" - ], "nist": [ - "AC-17 (2)", - "SC-28", - "SC-13 b", - "SC-28 (1)" + "SC-13 b" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72067" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", - "desc": "[\"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\\n\\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if the \"dracut-fips\" package is installed with the following command:\n\n# yum list installed dracut-fips\n\ndracut-fips-033-360.el7_2.x86_64.rpm\n\nIf a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\n# grep fips /boot/grub2/grub.cfg\n/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n\nIf the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n# cat /proc/sys/crypto/fips_enabled \n1\n\nIf a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", - "fix": "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nConfigure the operating system to implement DoD-approved encryption by following the steps below: \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.\n\nInstall the dracut-fips package with the following command:\n\n# yum install dracut-fips\n\nRecreate the \"initramfs\" file with the following command:\n\nNote: This command will overwrite the existing \"initramfs\" file.\n\n# dracut -f\n\nModify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n\nfips=1\n\nChanges to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows:\n\nOn BIOS-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/grub2/grub.cfg\n\nOn UEFI-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n\nIf /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:\n\n# df /boot\nFilesystem 1K-blocks Used Available Use% Mounted on\n/dev/sda1 495844 53780 416464 12% /boot\n\nTo ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:\n\n# blkid /dev/sda1\n/dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n\nFor the example above, append the following string to the kernel command line:\n\nboot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n\nReboot the system for the changes to take effect." - } + "descs": {} }, "V-72069": { "tags": { - "check_id": "C-72301r3_chk", - "severity": "low", - "gid": "V-72069", - "rid": "SV-86693r3_rule", - "stig_id": "RHEL-07-021600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78421r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72301r3_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72069" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).", - "desc": "[\"ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify the file integrity tool is configured to verify ACLs.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists." - } + "descs": {} }, "V-72071": { "tags": { - "check_id": "C-72303r3_chk", - "severity": "low", - "gid": "V-72071", - "rid": "SV-86695r3_rule", - "stig_id": "RHEL-07-021610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78423r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72303r3_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72071" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.", - "desc": "[\"Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify the file integrity tool is configured to verify extended attributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists." - } + "descs": {} }, "V-72073": { "tags": { - "check_id": "C-72305r4_chk", - "severity": "medium", - "gid": "V-72073", - "rid": "SV-86697r3_rule", - "stig_id": "RHEL-07-021620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78425r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72305r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72073" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.", - "desc": "[\"File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding too as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"sha512\" rule follows:\n\nAll=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.", - "fix": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. \n\nIf AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists." - } + "descs": {} }, "V-72075": { "tags": { - "check_id": "C-72307r2_chk", + "check_id__added": "C-72307r2_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72075", - "rid": "SV-86699r2_rule", - "stig_id": "RHEL-07-021700", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78427r1_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72075" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.", - "desc": "[\"Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. \n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -c menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.", - "fix": "Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO." - } + "descs": {} }, "V-72077": { "tags": { - "check_id": "C-72309r2_chk", - "severity": "high", - "gid": "V-72077", - "rid": "SV-86701r2_rule", - "stig_id": "RHEL-07-021710", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78429r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72309r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72077" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\\n\\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised. \n\nCheck to see if the telnet-server package is installed with the following command:\n\n# yum list installed telnet-server\n\nIf the telnet-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:\n\n# yum remove telnet-server" - } + "descs": {} }, "V-72079": { "tags": { - "check_id": "C-72311r2_chk", + "check_id__added": "C-72311r2_chk", + "documentable__added": false, "severity": "high", - "gid": "V-72079", - "rid": "SV-86703r3_rule", - "stig_id": "RHEL-07-030000", - "gtitle": "SRG-OS-000038-GPOS-00016", - "fix_id": "F-78431r2_fix", - "cci": [ - "CCI-000126", - "CCI-000131" - ], "nist": [ "AU-2 c", "AU-3 b" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72079" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.", - "desc": "[\"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\\n\\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\\n\\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\\n\\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false\"]", - "impact": 0.7, - "descs": { - "check": "Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nCheck to see if auditing is active by issuing the following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.", - "fix": "Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.\n\nEnable the auditd service with the following command:\n\n# systemctl start auditd.service" - } + "descs": {} }, "V-72081": { "tags": { - "check_id": "C-72313r5_chk", + "check_id__added": "C-72313r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72081", - "rid": "SV-86705r5_rule", - "stig_id": "RHEL-07-030010", - "gtitle": "SRG-OS-000046-GPOS-00022", - "fix_id": "F-78433r2_fix", - "cci": [ - "CCI-000139" - ], - "nist": [ - "AU-5 a" - ] + "rid": "SV-86705r5_rule" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72081" - ], - "title": "The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.", - "desc": "[\"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\\n\\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\\n\\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\\n\\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false\"]", "impact": 0.5, "descs": { - "check": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command: \n\n# auditctl -s | grep -i \"fail\"\n\nfailure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system is configured to only send information to the kernel log regarding the failure.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.", - "fix": "Configure the operating system to shut down in the event of an audit processing failure.\n\nAdd or correct the option to shut down the operating system with the following command:\n\n# auditctl -f 2\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 2\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:\n\n# auditctl -f 1\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 1\n\nKernel log monitoring must also be configured to properly alert designated staff.\n\nThe audit daemon must be restarted for the changes to take effect." + "check": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command: \n\n# auditctl -s | grep -i \"fail\"\n\nfailure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system is configured to only send information to the kernel log regarding the failure.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding." } }, "V-72083": { "tags": { - "check_id": "C-72315r1_chk", - "severity": "medium", - "gid": "V-72083", - "rid": "SV-86707r2_rule", - "stig_id": "RHEL-07-030300", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78435r1_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72315r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72083" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system off-loads audit records onto a different system or media from the system being audited.\n\nTo determine the remote server that the records are being sent to, use the following command:\n\n# grep -i remote_server /etc/audisp/audisp-remote.conf\nremote_server = 10.0.21.1\n\nIf a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.", - "fix": "Configure the operating system to off-load audit records onto a different system or media from the system being audited.\n\nSet the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server." - } + "descs": {} }, "V-72085": { "tags": { - "check_id": "C-72317r1_chk", - "severity": "medium", - "gid": "V-72085", - "rid": "SV-86709r2_rule", - "stig_id": "RHEL-07-030310", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78437r1_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72317r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72085" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.\n\nTo determine if the transfer is encrypted, use the following command:\n\n# grep -i enable_krb5 /etc/audisp/audisp-remote.conf\nenable_krb5 = yes\n\nIf the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.", - "fix": "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.\n\nUncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n\nenable_krb5 = yes" - } + "descs": {} }, "V-72087": { "tags": { - "check_id": "C-72319r4_chk", - "severity": "medium", - "gid": "V-72087", - "rid": "SV-86711r3_rule", - "stig_id": "RHEL-07-030320", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78439r4_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72319r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72087" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.", - "desc": "[\"Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the action the operating system takes if the disk the audit records are written to becomes full.\n\nTo determine the action that takes place if the disk is full on the remote server, use the following command:\n\n# grep -i disk_full_action /etc/audisp/audisp-remote.conf\ndisk_full_action = single\n\nIf the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the action the operating system takes if the disk the audit records are written to becomes full.\n\nUncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\", such as the following line:\n\ndisk_full_action = single" - } + "descs": {} }, "V-72089": { "tags": { - "check_id": "C-72321r4_chk", - "severity": "medium", - "gid": "V-72089", - "rid": "SV-86713r4_rule", - "stig_id": "RHEL-07-030330", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78441r3_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72321r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72089" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.", - "desc": "[\"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to with the following command:\n\n# grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n0.9G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created for audit records (in this example \"/var/log/audit\" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:\n\n# du -sh \n1.8G /var\n\nDetermine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:\n\n# grep -iw space_left /etc/audit/auditd.conf\nspace_left = 225 \n\nIf the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding.", - "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to: \n\n# grep -iw log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size." - } + "descs": {} }, "V-72091": { "tags": { - "check_id": "C-72323r1_chk", - "severity": "medium", - "gid": "V-72091", - "rid": "SV-86715r2_rule", - "stig_id": "RHEL-07-030340", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78443r1_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72323r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72091" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.", - "desc": "[\"If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\nIf the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\". \n \nspace_left_action = email" - } + "descs": {} }, "V-72093": { "tags": { - "check_id": "C-72325r4_chk", - "severity": "medium", - "gid": "V-72093", - "rid": "SV-86717r3_rule", - "stig_id": "RHEL-07-030350", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78445r3_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72325r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72093" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.", - "desc": "[\"If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.\n\nCheck what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i action_mail_acct /etc/audit/auditd.conf\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other accounts associated with security personnel. \n \naction_mail_acct = root" - } + "descs": {} }, "V-72095": { "tags": { - "check_id": "C-72327r7_chk", - "severity": "medium", - "gid": "V-72095", - "rid": "SV-86719r7_rule", - "stig_id": "RHEL-07-030360", - "gtitle": "SRG-OS-000327-GPOS-00127", - "fix_id": "F-78447r9_fix", - "cci": [ - "CCI-002234" - ], - "nist": [ - "AC-6 (9)" - ] + "check_id__added": "C-72327r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72095" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.", - "desc": "[\"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system audits the execution of privileged functions using the following command:\n\n# grep -iw execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", - "fix": "Configure the operating system to audit the execution of privileged functions.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72097": { "tags": { - "check_id": "C-72329r8_chk", + "check_id__added": "C-72329r8_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72097", - "rid": "SV-86721r5_rule", - "stig_id": "RHEL-07-030370", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78449r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72097" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\" syscall, this is a finding.", - "fix": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72099": { "tags": { - "check_id": "C-72331r9_chk", + "check_id__added": "C-72331r9_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72099", - "rid": "SV-86723r5_rule", - "stig_id": "RHEL-07-030380", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78451r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72099" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchown\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72101": { "tags": { - "check_id": "C-72333r8_chk", + "check_id__added": "C-72333r8_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72101", - "rid": "SV-86725r5_rule", - "stig_id": "RHEL-07-030390", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78453r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72101" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lchown\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72103": { "tags": { - "check_id": "C-72335r8_chk", + "check_id__added": "C-72335r8_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72103", - "rid": "SV-86727r5_rule", - "stig_id": "RHEL-07-030400", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78455r7_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72103" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchownat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchownat\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72105": { "tags": { - "check_id": "C-72337r7_chk", - "severity": "medium", - "gid": "V-72105", - "rid": "SV-86729r5_rule", - "stig_id": "RHEL-07-030410", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78457r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72337r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72105" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72107": { "tags": { - "check_id": "C-72339r7_chk", - "severity": "medium", - "gid": "V-72107", - "rid": "SV-86731r5_rule", - "stig_id": "RHEL-07-030420", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78459r9_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72339r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72107" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmod\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72109": { "tags": { - "check_id": "C-72341r8_chk", - "severity": "medium", - "gid": "V-72109", - "rid": "SV-86733r5_rule", - "stig_id": "RHEL-07-030430", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78461r8_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72341r8_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72109" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmodat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72111": { "tags": { - "check_id": "C-72343r8_chk", - "severity": "medium", - "gid": "V-72111", - "rid": "SV-86735r5_rule", - "stig_id": "RHEL-07-030440", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78463r8_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72343r8_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72111" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72113": { "tags": { - "check_id": "C-72345r7_chk", - "severity": "medium", - "gid": "V-72113", - "rid": "SV-86737r5_rule", - "stig_id": "RHEL-07-030450", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78465r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72345r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72113" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fsetxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72115": { "tags": { - "check_id": "C-72347r7_chk", - "severity": "medium", - "gid": "V-72115", - "rid": "SV-86739r5_rule", - "stig_id": "RHEL-07-030460", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78467r10_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72347r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72115" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lsetxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72117": { "tags": { - "check_id": "C-72349r7_chk", - "severity": "medium", - "gid": "V-72117", - "rid": "SV-86741r5_rule", - "stig_id": "RHEL-07-030470", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78469r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72349r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72117" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"removexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72119": { "tags": { - "check_id": "C-72351r6_chk", - "severity": "medium", - "gid": "V-72119", - "rid": "SV-86743r5_rule", - "stig_id": "RHEL-07-030480", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78471r6_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72351r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72119" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fremovexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72121": { "tags": { - "check_id": "C-72353r7_chk", - "severity": "medium", - "gid": "V-72121", - "rid": "SV-86745r5_rule", - "stig_id": "RHEL-07-030490", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78473r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72353r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72121" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lremovexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72123": { "tags": { - "check_id": "C-72355r7_chk", - "severity": "medium", - "gid": "V-72123", - "rid": "SV-86747r5_rule", - "stig_id": "RHEL-07-030500", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78475r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72355r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72123" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules:\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72125": { "tags": { - "check_id": "C-72357r7_chk", - "severity": "medium", - "gid": "V-72125", - "rid": "SV-86749r5_rule", - "stig_id": "RHEL-07-030510", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78477r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72357r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72125" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72127": { "tags": { - "check_id": "C-72359r8_chk", - "severity": "medium", - "gid": "V-72127", - "rid": "SV-86751r5_rule", - "stig_id": "RHEL-07-030520", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78479r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72359r8_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72127" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"openat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72129": { "tags": { - "check_id": "C-72361r7_chk", - "severity": "medium", - "gid": "V-72129", - "rid": "SV-86753r5_rule", - "stig_id": "RHEL-07-030530", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78481r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72361r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72129" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open_by_handle_at\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72131": { "tags": { - "check_id": "C-72363r6_chk", - "severity": "medium", - "gid": "V-72131", - "rid": "SV-86755r5_rule", - "stig_id": "RHEL-07-030540", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78483r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72363r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72131" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"truncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72133": { "tags": { - "check_id": "C-72365r7_chk", - "severity": "medium", - "gid": "V-72133", - "rid": "SV-86757r5_rule", - "stig_id": "RHEL-07-030550", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78485r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72365r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72133" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"ftruncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72135": { "tags": { - "check_id": "C-72367r6_chk", - "severity": "medium", - "gid": "V-72135", - "rid": "SV-86759r4_rule", - "stig_id": "RHEL-07-030560", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78487r5_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72367r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72135" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/semanage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72137": { "tags": { - "check_id": "C-72369r5_chk", - "severity": "medium", - "gid": "V-72137", - "rid": "SV-86761r4_rule", - "stig_id": "RHEL-07-030570", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78489r6_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72369r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72137" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72139": { "tags": { - "check_id": "C-72371r5_chk", - "severity": "medium", - "gid": "V-72139", - "rid": "SV-86763r4_rule", - "stig_id": "RHEL-07-030580", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78491r6_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72371r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72139" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72141": { "tags": { - "check_id": "C-72373r7_chk", - "severity": "medium", - "gid": "V-72141", - "rid": "SV-86765r5_rule", - "stig_id": "RHEL-07-030590", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78493r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72373r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72141" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72145": { "tags": { - "check_id": "C-72377r3_chk", + "check_id__added": "C-72377r3_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72145", - "rid": "SV-86769r4_rule", - "stig_id": "RHEL-07-030610", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78497r4_fix", - "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72145" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when unsuccessful account access events occur. \n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/run/faillock /etc/audit/audit.rules\n\n-w /var/run/faillock -p wa -k logins\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when unsuccessful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/run/faillock -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72147": { "tags": { - "check_id": "C-72379r3_chk", + "check_id__added": "C-72379r3_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72147", - "rid": "SV-86771r3_rule", - "stig_id": "RHEL-07-030620", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78499r3_fix", - "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72147" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful account access events occur. \n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/log/lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72149": { "tags": { - "check_id": "C-72381r6_chk", - "severity": "medium", - "gid": "V-72149", - "rid": "SV-86773r5_rule", - "stig_id": "RHEL-07-030630", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78501r6_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72381r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72149" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72151": { "tags": { - "check_id": "C-72383r6_chk", - "severity": "medium", - "gid": "V-72151", - "rid": "SV-86775r5_rule", - "stig_id": "RHEL-07-030640", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78503r8_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72383r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72151" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72153": { "tags": { - "check_id": "C-72385r5_chk", - "severity": "medium", - "gid": "V-72153", - "rid": "SV-86777r5_rule", - "stig_id": "RHEL-07-030650", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78505r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72385r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72153" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72155": { "tags": { - "check_id": "C-72387r5_chk", - "severity": "medium", - "gid": "V-72155", - "rid": "SV-86779r5_rule", - "stig_id": "RHEL-07-030660", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78507r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72387r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72155" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chage command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72157": { "tags": { - "check_id": "C-72389r6_chk", - "severity": "medium", - "gid": "V-72157", - "rid": "SV-86781r5_rule", - "stig_id": "RHEL-07-030670", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78509r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] - }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72157" + "check_id__added": "C-72389r6_chk", + "documentable__added": false, + "severity": "medium" + }, + "refs": [ + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/userhelper /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72159": { "tags": { - "check_id": "C-72391r6_chk", + "check_id__added": "C-72391r6_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72159", - "rid": "SV-86783r5_rule", - "stig_id": "RHEL-07-030680", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78511r6_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72159" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the su command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72161": { "tags": { - "check_id": "C-72393r5_chk", + "check_id__added": "C-72393r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72161", - "rid": "SV-86785r4_rule", - "stig_id": "RHEL-07-030690", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78513r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72161" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72163": { "tags": { - "check_id": "C-72397r6_chk", + "check_id__added": "C-72397r6_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72163", - "rid": "SV-86787r5_rule", - "stig_id": "RHEL-07-030700", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78517r6_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72163" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory. \n\nCheck for modification of the following files being audited by performing the following commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n# grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nIf the commands do not return output that match the examples, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72165": { "tags": { - "check_id": "C-72399r5_chk", + "check_id__added": "C-72399r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72165", - "rid": "SV-86789r4_rule", - "stig_id": "RHEL-07-030710", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78519r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72165" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72167": { "tags": { - "check_id": "C-72401r5_chk", + "check_id__added": "C-72401r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72167", - "rid": "SV-86791r4_rule", - "stig_id": "RHEL-07-030720", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78521r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72167" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72171": { "tags": { - "check_id": "C-72405r11_chk", - "severity": "medium", - "gid": "V-72171", - "rid": "SV-86795r7_rule", - "stig_id": "RHEL-07-030740", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78525r9_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72405r11_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72171" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72173": { "tags": { - "check_id": "C-72407r6_chk", - "severity": "medium", - "gid": "V-72173", - "rid": "SV-86797r5_rule", - "stig_id": "RHEL-07-030750", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78527r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72407r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72173" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the umount command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72175": { "tags": { - "check_id": "C-72409r5_chk", - "severity": "medium", - "gid": "V-72175", - "rid": "SV-86799r4_rule", - "stig_id": "RHEL-07-030760", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78529r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72409r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72175" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72177": { "tags": { - "check_id": "C-72411r4_chk", - "severity": "medium", - "gid": "V-72177", - "rid": "SV-86801r3_rule", - "stig_id": "RHEL-07-030770", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78531r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72411r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72177" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72179": { "tags": { - "check_id": "C-72413r4_chk", - "severity": "medium", - "gid": "V-72179", - "rid": "SV-86803r3_rule", - "stig_id": "RHEL-07-030780", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78533r4_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72413r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72179" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72183": { "tags": { - "check_id": "C-72417r4_chk", - "severity": "medium", - "gid": "V-72183", - "rid": "SV-86807r3_rule", - "stig_id": "RHEL-07-030800", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78537r4_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72417r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72183" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72185": { "tags": { - "check_id": "C-72419r5_chk", - "severity": "medium", - "gid": "V-72185", - "rid": "SV-86809r4_rule", - "stig_id": "RHEL-07-030810", - "gtitle": "SRG-OS-000471-GPOS-00215", - "fix_id": "F-78539r4_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72419r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72185" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72187": { "tags": { - "check_id": "C-72421r6_chk", - "severity": "medium", - "gid": "V-72187", - "rid": "SV-86811r5_rule", - "stig_id": "RHEL-07-030820", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78541r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72421r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72187" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw init_module /etc/audit/audit.rules \n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72189": { "tags": { - "check_id": "C-72423r6_chk", - "severity": "medium", - "gid": "V-72189", - "rid": "SV-86813r5_rule", - "stig_id": "RHEL-07-030830", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78543r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72423r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72189" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw delete_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72191": { "tags": { - "check_id": "C-72425r7_chk", - "severity": "medium", - "gid": "V-72191", - "rid": "SV-86815r5_rule", - "stig_id": "RHEL-07-030840", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78545r10_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72425r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72191" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw kmod /etc/audit/audit.rules\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72197": { "tags": { - "check_id": "C-72431r5_chk", - "severity": "medium", - "gid": "V-72197", - "rid": "SV-86821r5_rule", - "stig_id": "RHEL-07-030870", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-78551r4_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-72431r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72197" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or update the following rule \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72199": { "tags": { - "check_id": "C-72433r6_chk", - "severity": "medium", - "gid": "V-72199", - "rid": "SV-86823r5_rule", - "stig_id": "RHEL-07-030880", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78553r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72433r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72199" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rename /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rename\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72201": { "tags": { - "check_id": "C-72435r7_chk", - "severity": "medium", - "gid": "V-72201", - "rid": "SV-86825r5_rule", - "stig_id": "RHEL-07-030890", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78555r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72435r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72201" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw renameat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"renameat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72203": { "tags": { - "check_id": "C-72437r6_chk", - "severity": "medium", - "gid": "V-72203", - "rid": "SV-86827r5_rule", - "stig_id": "RHEL-07-030900", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78557r9_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72437r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72203" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rmdir /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rmdir\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72205": { "tags": { - "check_id": "C-72439r6_chk", - "severity": "medium", - "gid": "V-72205", - "rid": "SV-86829r5_rule", - "stig_id": "RHEL-07-030910", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78559r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72439r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72205" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlink /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72207": { "tags": { - "check_id": "C-72441r7_chk", - "severity": "medium", - "gid": "V-72207", - "rid": "SV-86831r5_rule", - "stig_id": "RHEL-07-030920", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78561r10_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72441r7_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72207" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlinkat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlinkat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-72209": { "tags": { - "check_id": "C-72443r2_chk", - "severity": "medium", - "gid": "V-72209", - "rid": "SV-86833r2_rule", - "stig_id": "RHEL-07-031000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78563r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72443r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72209" - ], - "title": "The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.", - "desc": "[\"Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n\n# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n*.* @@logagg.site.mil\n\nIf there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to send all \"rsyslog\" output to a log aggregation system:\n*.* @@" - } + "descs": {} }, "V-72211": { "tags": { - "check_id": "C-72445r2_chk", + "check_id__added": "C-72445r2_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72211", - "rid": "SV-86835r2_rule", - "stig_id": "RHEL-07-031010", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78565r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72211" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.", - "desc": "[\"Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.\\n\\nIf the system is intended to be a log aggregation server its use must be documented with the ISSO.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is documented as a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\n# grep imtcp /etc/rsyslog.conf\n$ModLoad imtcp\n# grep imudp /etc/rsyslog.conf\n$ModLoad imudp\n# grep imrelp /etc/rsyslog.conf\n$ModLoad imrelp\n\nIf any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the system being used for log aggregation.\n\nIf the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad imrelp\" configuration lines, or document the system as being used for log aggregation." - } + "descs": {} }, - "V-72213": { - "tags": { - "check_id": "C-72447r3_chk", - "severity": "high", - "gid": "V-72213", - "rid": "SV-86837r3_rule", - "stig_id": "RHEL-07-032000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78567r2_fix", - "cci": [ - "CCI-001668" - ], - "nist": [ - "SI-3 a" - ] + "V-72213": { + "tags": { + "check_id__added": "C-72447r3_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72213" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must use a virus scan program.", - "desc": "[\"Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \\n\\nThe virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.\\n\\nIf the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.", - "fix": "Install an antivirus solution on the system." - } + "descs": {} }, "V-72217": { "tags": { - "check_id": "C-72451r3_chk", - "severity": "low", - "gid": "V-72217", - "rid": "SV-86841r3_rule", - "stig_id": "RHEL-07-040000", - "gtitle": "SRG-OS-000027-GPOS-00008", - "fix_id": "F-78571r2_fix", - "cci": [ - "CCI-000054" - ], - "nist": [ - "AC-10" - ] + "check_id__added": "C-72451r3_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72217" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.", - "desc": "[\"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\\n\\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify the operating system limits the number of concurrent sessions to \"10\" for all accounts and/or account types by issuing the following command:\n\n# grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\n* hard maxlogins 10\n\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nIf the \"maxlogins\" item is missing, commented out, or the value is not set to \"10\" or less for all domains that have the \"maxlogins\" item assigned, this is a finding.", - "fix": "Configure the operating system to limit the number of concurrent sessions to \"10\" for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in /etc/security/limits.d/ :\n\n* hard maxlogins 10" - } + "descs": {} }, "V-72219": { "tags": { - "check_id": "C-72453r1_chk", - "severity": "medium", - "gid": "V-72219", - "rid": "SV-86843r2_rule", - "stig_id": "RHEL-07-040100", - "gtitle": "SRG-OS-000096-GPOS-00050", - "fix_id": "F-78573r1_fix", - "cci": [ - "CCI-000382", - "CCI-002314" - ], - "nist": [ - "CM-7 b", - "AC-17 (1)" - ] + "check_id__added": "C-72453r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72219" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.", - "desc": "[\"In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\\n\\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\\n\\nSatisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115false\"]", - "impact": 0.5, - "descs": { - "check": "Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n\nCheck which services are currently active with the following command:\n\n# firewall-cmd --list-all\npublic (default, active)\n interfaces: enp0s3\n sources: \n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports: \n masquerade: no\n forward-ports: \n icmp-blocks: \n rich rules: \n\nAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.", - "fix": "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL." - } + "descs": {} }, "V-72221": { "tags": { - "check_id": "C-72455r4_chk", - "severity": "medium", - "gid": "V-72221", - "rid": "SV-86845r3_rule", - "stig_id": "RHEL-07-040110", - "gtitle": "SRG-OS-000033-GPOS-00014", - "fix_id": "F-78575r3_fix", - "cci": [ - "CCI-000068", - "CCI-000366", - "CCI-000803" - ], - "nist": [ - "AC-17 (2)", - "CM-6 b", - "IA-7" - ] + "check_id__added": "C-72455r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72221" - ], - "title": "The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.", - "desc": "[\"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\\n\\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\\n\\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\\n\\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"Ciphers\" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are listed, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.", - "fix": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72223": { "tags": { - "check_id": "C-72457r4_chk", - "severity": "medium", - "gid": "V-72223", - "rid": "SV-86847r4_rule", - "stig_id": "RHEL-07-040160", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78577r5_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "check_id__added": "C-72457r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72223" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.", - "desc": "[\"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n# grep -i tmout /etc/profile.d/*\n\netc/profile.d/tmout.sh:TMOUT=600\n\n/etc/profile.d/tmout.sh:readonly TMOUT\n\n/etc/profile.d/tmout.sh:export TMOUT\n\nIf \"TMOUT\" is not set to \"600\" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.", - "fix": "Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.\n\nCreate a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n\n#!/bin/bash\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT" - } + "descs": {} }, "V-72225": { "tags": { - "check_id": "C-72459r3_chk", + "check_id__added": "C-72459r3_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72225", "rid": "SV-86849r5_rule", - "stig_id": "RHEL-07-040170", - "gtitle": "SRG-OS-000023-GPOS-00006", "fix_id": "F-78579r5_fix", - "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" - ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3" + "AC-8 c 2" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72225" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088false\"]", - "impact": 0.5, - "descs": { - "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72227": { "tags": { - "check_id": "C-72461r3_chk", - "severity": "medium", - "gid": "V-72227", - "rid": "SV-86851r4_rule", - "stig_id": "RHEL-07-040180", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78581r2_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72461r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72227" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", "impact": 0.5, - "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nEnsure that LDAP is configured to use TLS by using the following command:\n\n# grep -i \"start_tls\" /etc/sssd/sssd.conf\nldap_id_use_start_tls = true\n\nIf the \"ldap_id_use_start_tls\" option is not \"true\", this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_id_use_start_tls = true" - } + "descs": {} }, "V-72229": { "tags": { - "check_id": "C-72463r6_chk", - "severity": "medium", - "gid": "V-72229", - "rid": "SV-86853r4_rule", - "stig_id": "RHEL-07-040190", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78583r4_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72463r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72229" - ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", "impact": 0.5, - "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nVerify the sssd service is configured to require the use of certificates:\n\n# grep -i tls_reqcert /etc/sssd/sssd.conf\nldap_tls_reqcert = demand\n\nIf the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n\nIf the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_reqcert = demand" - } + "descs": {} }, "V-72231": { "tags": { - "check_id": "C-72465r4_chk", - "severity": "medium", - "gid": "V-72231", - "rid": "SV-86855r4_rule", - "stig_id": "RHEL-07-040200", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78585r3_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72465r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72231" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", "impact": 0.5, - "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used.\n\nDetermine the \"id_provider\" that the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nCheck the path to the X.509 certificate for peer authentication with the following command:\n\n# grep -i tls_cacert /etc/sssd/sssd.conf\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n\nVerify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n\nIf this file does not exist, or the option is commented out or missing, this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" - } + "descs": {} }, "V-72233": { "tags": { - "check_id": "C-72467r3_chk", - "severity": "medium", - "gid": "V-72233", - "rid": "SV-86857r3_rule", - "stig_id": "RHEL-07-040300", - "gtitle": "SRG-OS-000423-GPOS-00187", - "fix_id": "F-78587r3_fix", - "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" - ], - "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" - ] + "check_id__added": "C-72467r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72233" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190false\"]", - "impact": 0.5, - "descs": { - "check": "Check to see if sshd is installed with the following command:\n\n# yum list installed \\*ssh\\*\nlibssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\nopenssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\nopenssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n\nIf the \"SSH server\" package is not installed, this is a finding.", - "fix": "Install SSH packages onto the host with the following commands:\n\n# yum install openssh-server.x86_64" - } + "descs": {} }, "V-72235": { "tags": { - "check_id": "C-72469r3_chk", - "severity": "medium", - "gid": "V-72235", - "rid": "SV-86859r3_rule", - "stig_id": "RHEL-07-040310", - "gtitle": "SRG-OS-000423-GPOS-00187", - "fix_id": "F-78589r2_fix", - "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" - ], - "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" - ] + "check_id__added": "C-72469r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72235" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190false\"]", - "impact": 0.5, - "descs": { - "check": "Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.", - "fix": "Configure the SSH service to automatically start after reboot with the following command:\n\n# systemctl enable sshd.service" - } + "descs": {} }, "V-72237": { "tags": { - "check_id": "C-72471r2_chk", - "severity": "medium", - "gid": "V-72237", - "rid": "SV-86861r4_rule", - "stig_id": "RHEL-07-040320", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78591r2_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "check_id__added": "C-72471r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72237" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveInterval\" keyword with the following command:\n\n# grep -iw clientaliveinterval /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding.\n\nIf \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72239": { "tags": { - "check_id": "C-72473r5_chk", - "severity": "medium", - "gid": "V-72239", - "rid": "SV-86863r4_rule", - "stig_id": "RHEL-07-040330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78593r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72473r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72239" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, - "descs": { - "check": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\nRhostsRSAAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nRhostsRSAAuthentication no\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72241": { "tags": { - "check_id": "C-72475r4_chk", - "severity": "medium", - "gid": "V-72241", - "rid": "SV-86865r4_rule", - "stig_id": "RHEL-07-040340", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78595r4_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "check_id__added": "C-72475r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72241" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveCountMax\" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf \"ClientAliveCountMax\" is not set to \"0\", this is a finding.", - "fix": "Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72243": { "tags": { - "check_id": "C-72477r1_chk", - "severity": "medium", - "gid": "V-72243", - "rid": "SV-86867r3_rule", - "stig_id": "RHEL-07-040350", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78597r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72477r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72243" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreRhosts yes" - } + "descs": {} }, "V-72245": { "tags": { - "check_id": "C-72479r1_chk", - "severity": "medium", - "gid": "V-72245", - "rid": "SV-86869r3_rule", - "stig_id": "RHEL-07-040360", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78599r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72479r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72245" - ], - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.", - "desc": "[\"Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nModify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to \"sshd_config\" to take effect." - } + "descs": {} }, "V-72247": { "tags": { - "check_id": "C-72481r1_chk", - "severity": "medium", - "gid": "V-72247", - "rid": "SV-86871r3_rule", - "stig_id": "RHEL-07-040370", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78601r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72481r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72247" - ], - "title": "The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.", - "desc": "[\"Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72249": { "tags": { - "check_id": "C-72483r1_chk", - "severity": "medium", - "gid": "V-72249", - "rid": "SV-86873r3_rule", - "stig_id": "RHEL-07-040380", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78603r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72483r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72249" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72251": { "tags": { - "check_id": "C-72485r2_chk", - "severity": "high", - "gid": "V-72251", - "rid": "SV-86875r4_rule", - "stig_id": "RHEL-07-040390", - "gtitle": "SRG-OS-000074-GPOS-00042", - "fix_id": "F-78605r2_fix", - "cci": [ - "CCI-000197", - "CCI-000366" - ], - "nist": [ - "IA-5 (1) (c)", - "CM-6 b" - ] + "check_id__added": "C-72485r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72251" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.", - "desc": "[\"SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\\n\\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.7, - "descs": { - "check": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than \"Protocol 2\" is uncommented, this is a finding.", - "fix": "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The \"Protocol\" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72253": { "tags": { - "check_id": "C-72487r5_chk", - "severity": "medium", - "gid": "V-72253", - "rid": "SV-86877r3_rule", - "stig_id": "RHEL-07-040400", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78607r2_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72487r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72253" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", - "desc": "[\"DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed or the returned line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or \"hmac-sha2-512\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72255": { "tags": { - "check_id": "C-72489r2_chk", - "severity": "medium", - "gid": "V-72255", - "rid": "SV-86879r2_rule", - "stig_id": "RHEL-07-040410", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78609r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72489r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72255" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.", - "desc": "[\"If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than \"0644\", this is a finding.", - "fix": "Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub" - } + "descs": {} }, "V-72257": { - "tags": { - "check_id": "C-72491r4_chk", - "severity": "medium", - "gid": "V-72257", - "rid": "SV-86881r3_rule", - "stig_id": "RHEL-07-040420", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78611r5_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] - }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72257" + "tags": { + "check_id__added": "C-72491r4_chk", + "documentable__added": false, + "severity": "medium" + }, + "refs": [ + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.", - "desc": "[\"If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n# find / -name '*ssh_host*key' | xargs ls -lL\n\n-rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.", - "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key" - } + "descs": {} }, "V-72259": { "tags": { - "check_id": "C-72493r1_chk", + "check_id__added": "C-72493r1_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72259", - "rid": "SV-86883r3_rule", - "stig_id": "RHEL-07-040430", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78613r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72259" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.", - "desc": "[\"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." - } + "descs": {} }, "V-72261": { "tags": { - "check_id": "C-72495r1_chk", + "check_id__added": "C-72495r1_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72261", - "rid": "SV-86885r3_rule", - "stig_id": "RHEL-07-040440", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78615r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72261" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.", - "desc": "[\"Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." - } + "descs": {} }, "V-72263": { "tags": { - "check_id": "C-72497r6_chk", - "severity": "medium", - "gid": "V-72263", - "rid": "SV-86887r3_rule", - "stig_id": "RHEL-07-040450", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78617r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72497r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72263" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.", - "desc": "[\"If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"sshd_config\" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"yes\":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72265": { "tags": { - "check_id": "C-72499r3_chk", - "severity": "medium", - "gid": "V-72265", - "rid": "SV-86889r3_rule", - "stig_id": "RHEL-07-040460", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78619r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72499r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72265" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.", - "desc": "[\"SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"sandbox\" or \"yes\":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72267": { "tags": { - "check_id": "C-72501r2_chk", - "severity": "medium", - "gid": "V-72267", - "rid": "SV-86891r3_rule", - "stig_id": "RHEL-07-040470", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78621r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72501r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72267" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.", - "desc": "[\"If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect." - } + "descs": {} }, "V-72269": { "tags": { - "check_id": "C-72503r6_chk", - "severity": "medium", - "gid": "V-72269", - "rid": "SV-86893r5_rule", - "stig_id": "RHEL-07-040500", - "gtitle": "SRG-OS-000355-GPOS-00143", - "fix_id": "F-78623r5_fix", - "cci": [ - "CCI-001891", - "CCI-002046" - ], - "nist": [ - "AU-8 (1) (a)", - "AU-8 (1) (b)" - ] + "check_id__added": "C-72503r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72269" - ], - "title": "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", - "desc": "[\"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\\n\\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\\n\\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\\n\\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144false\"]", - "impact": 0.5, - "descs": { - "check": "Check to see if NTP is running in continuous mode:\n\n# ps -ef | grep ntp\n\nIf NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n\n# ps -ef | grep chronyd\n\nIf NTP or \"chronyd\" is not running, this is a finding.\n\nIf the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/ntp.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is set to \"17\" or is not set, this is a finding.\n\nIf the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of the \"ntpd -q\" command.\n\n# grep -i \"ntpd -q\" /etc/cron.daily/*\n# ls -al /etc/cron.* | grep ntp\n\nntp\n\nIf a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n\nIf the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/chrony.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is not set or the line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to \"10\" as follows:\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n\n# systemctl restart ntpd\n\nIf NTP was not running, it must be started:\n\n# systemctl start ntpd \n\nIf \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n\n# systemctl restart chronyd.service\n\nIf \"chronyd\" was not running, it must be started:\n\n# systemctl start chronyd.service" - } + "descs": {} }, "V-72273": { "tags": { - "check_id": "C-72507r1_chk", - "severity": "medium", - "gid": "V-72273", - "rid": "SV-86897r2_rule", - "stig_id": "RHEL-07-040520", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78627r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72507r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72273" - ], - "title": "The Red Hat Enterprise Linux operating system must enable an application firewall, if available.", - "desc": "[\"Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.\\n\\nSatisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system enabled an application firewall.\n\nCheck to see if \"firewalld\" is installed with the following command:\n\n# yum list installed firewalld\nfirewalld-0.3.9-11.el7.noarch.rpm\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. \n\nIf an application firewall is not installed, this is a finding. \n\nCheck to see if the firewall is loaded and active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\n\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n\nIf \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding. \n\nCheck the state of the firewall:\n\n# firewall-cmd --state \nrunning\n\nIf \"firewalld\" does not show a state of \"running\", this is a finding.", - "fix": "Ensure the operating system's application firewall is enabled.\n\nInstall the \"firewalld\" package, if it is not on the system, with the following command:\n\n# yum install firewalld\n\nStart the firewall via \"systemctl\" with the following command:\n\n# systemctl start firewalld" - } + "descs": {} }, "V-72275": { "tags": { - "check_id": "C-72509r6_chk", - "severity": "low", - "gid": "V-72275", - "rid": "SV-86899r4_rule", - "stig_id": "RHEL-07-040530", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78629r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72509r6_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72275" - ], - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.", - "desc": "[\"Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that \"pam_lastlog\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/postlogin\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.", - "fix": "Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/postlogin\". \n\nAdd the following line to the top of \"/etc/pam.d/postlogin\":\n\nsession required pam_lastlog.so showfailed" - } + "descs": {} }, "V-72277": { "tags": { - "check_id": "C-72511r1_chk", - "severity": "high", - "gid": "V-72277", - "rid": "SV-86901r2_rule", - "stig_id": "RHEL-07-040540", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78631r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72511r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72277" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not contain .shosts files.", - "desc": "[\"The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify there are no \".shosts\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name '*.shosts'\n\nIf any \".shosts\" files are found on the system, this is a finding.", - "fix": "Remove any found \".shosts\" files from the system.\n\n# rm /[path]/[to]/[file]/.shosts" - } + "descs": {} }, "V-72279": { "tags": { - "check_id": "C-72513r1_chk", - "severity": "high", - "gid": "V-72279", - "rid": "SV-86903r2_rule", - "stig_id": "RHEL-07-040550", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78633r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72513r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72279" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.", - "desc": "[\"The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify there are no \"shosts.equiv\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf any \"shosts.equiv\" files are found on the system, this is a finding.", - "fix": "Remove any found \"shosts.equiv\" files from the system.\n\n# rm /[path]/[to]/[file]/shosts.equiv" - } + "descs": {} }, "V-72281": { "tags": { - "check_id": "C-72515r3_chk", + "check_id__added": "C-72515r3_chk", + "documentable__added": false, "severity": "low", - "gid": "V-72281", - "rid": "SV-86905r3_rule", - "stig_id": "RHEL-07-040600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78635r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "rid": "SV-86905r3_rule" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72281" - ], - "title": "For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.", - "desc": "[\"To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.false\"]", - "impact": 0.3, "descs": { - "check": "Determine whether the system is using local or DNS name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\nVerify the \"/etc/resolv.conf\" file is empty with the following command:\n\n# ls -al /etc/resolv.conf\n-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\nIf local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# grep nameserver /etc/resolv.conf\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.\n\nVerify that the \"/etc/resolv.conf\" file is immutable with the following command:\n\n# sudo lsattr /etc/resolv.conf\n\n----i----------- /etc/resolv.conf\n\nIf the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the operating system to use two or more name servers for DNS resolution.\n\nEdit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n\n# echo -n > /etc/resolv.conf\n\nAnd then make the file immutable with the following command:\n\n# chattr +i /etc/resolv.conf\n\nIf the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool." + "check": "Determine whether the system is using local or DNS name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\nVerify the \"/etc/resolv.conf\" file is empty with the following command:\n\n# ls -al /etc/resolv.conf\n-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\nIf local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# grep nameserver /etc/resolv.conf\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.\n\nVerify that the \"/etc/resolv.conf\" file is immutable with the following command:\n\n# sudo lsattr /etc/resolv.conf\n\n----i----------- /etc/resolv.conf\n\nIf the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding." } }, "V-72283": { "tags": { - "check_id": "C-72517r3_chk", - "severity": "medium", - "gid": "V-72283", - "rid": "SV-86907r2_rule", - "stig_id": "RHEL-07-040610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78637r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72517r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72283" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system does not accept IPv4 source-routed packets.\n\n# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf \" net.ipv4.conf.all.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl -system" - } + "descs": {} }, "V-72285": { "tags": { - "check_id": "C-72519r2_chk", - "severity": "medium", - "gid": "V-72285", - "rid": "SV-86909r2_rule", - "stig_id": "RHEL-07-040620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78639r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72519r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72285" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system does not accept IPv4 source-routed packets by default.\n\n# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf \" net.ipv4.conf.default.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl --system" - } + "descs": {} }, "V-72287": { "tags": { - "check_id": "C-72521r2_chk", - "severity": "medium", - "gid": "V-72287", - "rid": "SV-86911r2_rule", - "stig_id": "RHEL-07-040630", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78641r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72521r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72287" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.", - "desc": "[\"Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIssue the following command to make the changes take effect: \n\n# sysctl --system" - } + "descs": {} }, "V-72289": { "tags": { - "check_id": "C-72523r3_chk", - "severity": "medium", - "gid": "V-72289", - "rid": "SV-86913r3_rule", - "stig_id": "RHEL-07-040640", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78643r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72523r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72289" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.default.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to not accept IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-72291": { "tags": { - "check_id": "C-72525r4_chk", - "severity": "medium", - "gid": "V-72291", - "rid": "SV-86915r4_rule", - "stig_id": "RHEL-07-040650", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78645r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72525r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72291" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'\n\nnet.ipv4.conf.default.send_redirects = 0 \n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-72293": { "tags": { - "check_id": "C-72527r3_chk", - "severity": "medium", - "gid": "V-72293", - "rid": "SV-86917r3_rule", - "stig_id": "RHEL-07-040660", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78647r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72527r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72293" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system does not send IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-72295": { "tags": { - "check_id": "C-72529r1_chk", - "severity": "medium", - "gid": "V-72295", - "rid": "SV-86919r2_rule", - "stig_id": "RHEL-07-040670", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78649r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72529r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72295" + "DPMS Target Red Hat 7" ], - "title": "Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.", - "desc": "[\"Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\\n\\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.", - "fix": "Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n\nSet the promiscuous mode of an interface to off with the following command:\n\n#ip link set dev multicast off promisc off" - } + "descs": {} }, "V-72297": { "tags": { - "check_id": "C-72531r3_chk", - "severity": "medium", - "gid": "V-72297", - "rid": "SV-86921r3_rule", - "stig_id": "RHEL-07-040680", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78651r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72531r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72297" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.", - "desc": "[\"If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system is configured to prevent unrestricted mail relaying.\n\nDetermine if \"postfix\" is installed with the following commands:\n\n# yum list installed postfix\npostfix-2.6.6-6.el7.x86_64.rpm \n\nIf postfix is not installed, this is Not Applicable.\n\nIf postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\nsmtpd_client_restrictions = permit_mynetworks, reject\n\nIf the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this is a finding.", - "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to the local network with the following command:\n\n# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" - } + "descs": {} }, "V-72299": { "tags": { - "check_id": "C-72533r3_chk", - "severity": "high", - "gid": "V-72299", - "rid": "SV-86923r3_rule", - "stig_id": "RHEL-07-040690", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78653r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72533r3_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72299" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.", - "desc": "[\"The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify an FTP server has not been installed on the system.\n\nCheck to see if an FTP server has been installed with the following commands:\n\n# yum list installed vsftpd\n\n vsftpd-3.0.2.el7.x86_64.rpm\n\nIf \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system with the following command:\n\n# yum remove vsftpd" - } + "descs": {} }, "V-72301": { "tags": { - "check_id": "C-72535r1_chk", + "check_id__added": "C-72535r1_chk", + "documentable__added": false, "severity": "high", - "gid": "V-72301", - "rid": "SV-86925r2_rule", - "stig_id": "RHEL-07-040700", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78655r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + "CM-5 (1) (a)" ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72301" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.", - "desc": "[\"If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify a TFTP server has not been installed on the system.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# yum list installed tftp-server\ntftp-server-0.49-9.el7.x86_64.rpm\n\nIf TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.", - "fix": "Remove the TFTP package from the system with the following command:\n\n# yum remove tftp-server" - } + "descs": {} }, "V-72303": { - "tags": { - "check_id": "C-72537r5_chk", - "severity": "high", - "gid": "V-72303", - "rid": "SV-86927r4_rule", - "stig_id": "RHEL-07-040710", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78657r6_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] - }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72303" + "tags": { + "check_id__added": "C-72537r5_chk", + "documentable__added": false, + "severity": "high" + }, + "refs": [ + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.", - "desc": "[\"Open X displays allow an attacker to capture keystrokes and execute commands remotely.false\"]", - "impact": 0.7, - "descs": { - "check": "Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n\nX11Forwarding yes\n\nIf the \"X11Forwarding\" keyword is set to \"no\" or is missing, this is a finding.", - "fix": "Configure SSH to encrypt connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding yes\n\nThe SSH service must be restarted for changes to take effect:\n\n# systemctl restart sshd" - } + "descs": {} }, "V-72305": { "tags": { - "check_id": "C-72539r3_chk", - "severity": "medium", - "gid": "V-72305", - "rid": "SV-86929r3_rule", - "stig_id": "RHEL-07-040720", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78659r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72539r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72305" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.", - "desc": "[\"Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the TFTP daemon is configured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# yum list installed tftp-server\ntftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the following command: \n\n# grep server_args /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.", - "fix": "Configure the TFTP daemon to operate in secure mode by adding the following line to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\nserver_args = -s /var/lib/tftpboot" - } + "descs": {} }, "V-72307": { "tags": { - "check_id": "C-72541r3_chk", - "severity": "medium", - "gid": "V-72307", - "rid": "SV-86931r4_rule", - "stig_id": "RHEL-07-040730", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78661r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72541r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72307" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved.", - "desc": "[\"Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that if the system has X Windows System installed, it is authorized.\n\nCheck for the X11 package with the following command:\n\n# rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of the X Windows System is an operational requirement.\n\nIf the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:\n\n# rpm -e xorg-x11-server-common" - } + "descs": {} }, "V-72309": { "tags": { - "check_id": "C-72543r2_chk", - "severity": "medium", - "gid": "V-72309", - "rid": "SV-86933r2_rule", - "stig_id": "RHEL-07-040740", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78663r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72543r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72309" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.", - "desc": "[\"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system is not performing packet forwarding, unless the system is a router.\n\n# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.ip_forward = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-72311": { "tags": { - "check_id": "C-72545r2_chk", - "severity": "medium", - "gid": "V-72311", - "rid": "SV-86935r4_rule", - "stig_id": "RHEL-07-040750", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78665r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72545r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72311" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.", - "desc": "[\"When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n\nTo check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a file system type of \"nfs\" with the following command:\n\n# cat /etc/fstab | grep nfs\n192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n\nIf the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.", - "fix": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the \"sec\" option does not have the \"sys\" setting. \n\nEnsure the \"sec\" option is defined as \"krb5:krb5i:krb5p\"." - } + "descs": {} }, "V-72313": { "tags": { - "check_id": "C-72547r1_chk", - "severity": "high", - "gid": "V-72313", - "rid": "SV-86937r2_rule", - "stig_id": "RHEL-07-040800", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78667r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72547r1_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72313" + "DPMS Target Red Hat 7" ], - "title": "SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.", - "desc": "[\"Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false\"]", "impact": 0.7, - "descs": { - "check": "Verify that a system using SNMP is not using default community strings.\n\nCheck to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n\n# ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n\nIf the file does not exist, this is Not Applicable.\n\nIf the file does exist, check for the default community strings with the following commands:\n\n# grep public /etc/snmp/snmpd.conf\n# grep private /etc/snmp/snmpd.conf\n\nIf either of these commands returns any output, this is a finding.", - "fix": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of \"public\" or \"private\" to another string value." - } + "descs": {} }, "V-72315": { "tags": { - "check_id": "C-72549r3_chk", - "severity": "medium", - "gid": "V-72315", - "rid": "SV-86939r3_rule", - "stig_id": "RHEL-07-040810", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78669r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72549r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72315" - ], - "title": "The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.", - "desc": "[\"If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.false\"]", - "impact": 0.5, - "descs": { - "check": "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. \n\nVerify the system's access control program is configured to grant or deny system access to specific hosts.\n\nCheck to see if \"firewalld\" is active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\nActive: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n\nIf \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:\n\n# firewall-cmd --get-default-zone\npublic\n\n# firewall-cmd --list-all --zone=public\npublic (active)\ntarget: default\nicmp-block-inversion: no\ninterfaces: eth0\nsources:\nservices: mdns ssh\nports:\nprotocols:\nmasquerade: no\nforward-ports:\nicmp-blocks:\n\nIf \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\" and \"hosts.deny\" files are empty with the following commands:\n\n# ls -al /etc/hosts.allow\nrw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n\n# ls -al /etc/hosts.deny\n-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n\nIf \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.\n\nIf \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured to grant or deny access to specific hosts, this is a finding.", - "fix": "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services and hosts. \n\nIf \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to allow or deny access to specific hosts." - } + "descs": {} }, "V-72317": { "tags": { - "check_id": "C-72551r2_chk", - "severity": "medium", - "gid": "V-72317", - "rid": "SV-86941r2_rule", - "stig_id": "RHEL-07-040820", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78671r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72551r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72317" - ], - "title": "The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.", - "desc": "[\"IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).false\"]", "impact": 0.5, - "descs": { - "check": "Verify the system does not have unauthorized IP tunnels configured.\n\nCheck to see if \"libreswan\" is installed with the following command:\n\n# yum list installed libreswan\nlibreswan.x86-64 3.20-5.el7_4\n\nIf \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n\n# systemctl status ipsec\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\nLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\nActive: inactive (dead)\n\nIf the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and \"/etc/ipsec.d/\" with the following commands:\n\n# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n\nIf there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. \n\nIf \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.", - "fix": "Remove all unapproved tunnels from the system, or document them with the ISSO." - } + "descs": {} }, "V-72319": { "tags": { - "check_id": "C-72553r2_chk", - "severity": "medium", - "gid": "V-72319", - "rid": "SV-86943r2_rule", - "stig_id": "RHEL-07-040830", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78673r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72553r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72319" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, - "descs": { - "check": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-72417": { "tags": { - "check_id": "C-72617r5_chk", + "check_id__added": "C-72617r5_chk", + "documentable__added": false, "severity": "medium", - "gid": "V-72417", "rid": "SV-87041r5_rule", - "stig_id": "RHEL-07-041001", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78769r5_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "fix_id": "F-78769r5_fix" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72417" - ], - "title": "The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, "descs": { "check": "Verify the operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n# yum list installed pam_pkcs11\npam_pkcs11-0.6.2-14.el7.noarch.rpm\n\n\nIf the \"pam_pkcs11\" package is not installed, this is a finding.", "fix": "Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11" @@ -8072,1915 +2764,417 @@ }, "V-72427": { "tags": { - "check_id": "C-72627r4_chk", - "severity": "medium", - "gid": "V-72427", - "rid": "SV-87051r4_rule", - "stig_id": "RHEL-07-041002", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78779r3_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-72627r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-72427" - ], - "title": "The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nCheck the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n\n# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n\nservices = nss, pam\n\nIf the \"pam\" service is not present on all \"services\" lines, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nModify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\" to include pam." - } + "descs": {} }, "V-72433": { "tags": { - "check_id": "C-72633r6_chk", - "severity": "medium", - "gid": "V-72433", - "rid": "SV-87057r5_rule", - "stig_id": "RHEL-07-041003", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78785r3_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-72633r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72433" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system implements certificate status checking for PKI authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:\n\n# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\n\nThere should be at least three lines returned. \n\nIf \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.", - "fix": "Configure the operating system to do certificate status checking for PKI authentication.\n\nModify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." - } + "descs": {} }, "V-73155": { "tags": { - "check_id": "C-73279r4_chk", - "severity": "medium", - "gid": "V-73155", - "rid": "SV-87807r4_rule", - "stig_id": "RHEL-07-010081", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-79601r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-73279r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73155" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock delay:\n\n/org/gnome/desktop/screensaver/lock-delay" - } + "descs": {} }, "V-73157": { "tags": { - "check_id": "C-73281r3_chk", - "severity": "medium", - "gid": "V-73157", - "rid": "SV-87809r4_rule", - "stig_id": "RHEL-07-010082", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-79603r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-73281r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-73157" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. \n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the session idle delay:\n\n/org/gnome/desktop/session/idle-delay" - } + "descs": {} }, "V-73159": { "tags": { - "check_id": "C-73283r6_chk", - "severity": "medium", - "gid": "V-73159", - "rid": "SV-87811r4_rule", - "stig_id": "RHEL-07-010119", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-79605r5_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-73283r6_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73159" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules. \n\nCheck for the use of \"pwquality\" with the following command:\n\n# cat /etc/pam.d/system-auth | grep pam_pwquality\n\npassword required pam_pwquality.so retry=3\n\nIf the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\npassword required pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and \"3\"." - } + "descs": {} }, "V-73161": { "tags": { - "check_id": "C-73285r2_chk", - "severity": "medium", - "gid": "V-73161", - "rid": "SV-87813r2_rule", - "stig_id": "RHEL-07-021021", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-79607r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-73285r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73161" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).", - "desc": "[\"The \\\"noexec\\\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being imported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the NFS is mounted with the \"noexec\"option:\n\n# mount | grep nfs | grep noexec\nIf no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via NFS." - } + "descs": {} }, "V-73163": { "tags": { - "check_id": "C-73287r4_chk", - "severity": "medium", - "gid": "V-73163", - "rid": "SV-87815r3_rule", - "stig_id": "RHEL-07-030321", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-79609r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-73287r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73163" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.", - "desc": "[\"Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the action the operating system takes if there is an error sending audit records to a remote system.\n\nCheck the action that takes place if there is an error sending audit records to a remote system with the following command:\n\n# grep -i network_failure_action /etc/audisp/audisp-remote.conf\nnetwork_failure_action = syslog\n\nIf the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the action the operating system takes if there is an error sending audit records to a remote system.\n\nUncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\".\n\nnetwork_failure_action = syslog" - } + "descs": {} }, "V-73165": { "tags": { - "check_id": "C-73289r4_chk", - "severity": "medium", - "gid": "V-73165", - "rid": "SV-87817r3_rule", - "stig_id": "RHEL-07-030871", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79611r3_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73289r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73165" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-73167": { "tags": { - "check_id": "C-73291r4_chk", - "severity": "medium", - "gid": "V-73167", - "rid": "SV-87819r4_rule", - "stig_id": "RHEL-07-030872", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79613r3_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73291r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-73167" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-73171": { "tags": { - "check_id": "C-73295r4_chk", - "severity": "medium", - "gid": "V-73171", - "rid": "SV-87823r4_rule", - "stig_id": "RHEL-07-030873", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79617r4_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73295r4_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73171" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-73173": { "tags": { - "check_id": "C-73297r5_chk", - "severity": "medium", - "gid": "V-73173", - "rid": "SV-87825r5_rule", - "stig_id": "RHEL-07-030874", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79619r6_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73297r5_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-73173" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect:\n# systemctl restart auditd" - } + "descs": {} }, "V-73175": { "tags": { - "check_id": "C-73299r3_chk", - "severity": "medium", - "gid": "V-73175", - "rid": "SV-87827r4_rule", - "stig_id": "RHEL-07-040641", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-79621r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-73299r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73175" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system ignores IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.all.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to ignore IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-73177": { "tags": { - "check_id": "C-73301r1_chk", - "severity": "medium", - "gid": "V-73177", - "rid": "SV-87829r2_rule", - "stig_id": "RHEL-07-041010", - "gtitle": "SRG-OS-000424-GPOS-00188", - "fix_id": "F-79623r1_fix", - "cci": [ - "CCI-001443", - "CCI-001444", - "CCI-002418" - ], - "nist": [ - "AC-18 (1)", - "AC-18 (1)", - "SC-8" - ] - }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-73177" + "check_id__added": "C-73301r1_chk", + "documentable__added": false, + "severity": "medium" + }, + "refs": [ + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.", - "desc": "[\"The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that there are no wireless interfaces configured on the system.\n\nThis is N/A for systems that do not have wireless network adapters.\n\nCheck for the presence of active wireless interfaces with the following command:\n\n# nmcli device\nDEVICE TYPE STATE\neth0 ethernet connected\nwlp3s0 wifi disconnected\nlo loopback unmanaged\n\nIf a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the system to disable all wireless network interfaces with the following command:\n\n#nmcli radio wifi off" - } + "descs": {} }, "V-77819": { "tags": { - "check_id": "C-77437r2_chk", - "severity": "medium", - "gid": "V-77819", - "rid": "SV-92515r2_rule", - "stig_id": "RHEL-07-010061", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-84519r4_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-77437r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-77819" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.", - "desc": "[\"To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nSatisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nDetermine which profile the system database is using with the following command:\n\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nNote: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than local is being used.\n\n# grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n\nenable-smartcard-authentication=true\n\nIf \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.", - "fix": "Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example is using the database local for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/00-defaults\n\nEdit \"[org/gnome/login-screen]\" and add or update the following line:\nenable-smartcard-authentication=true \n\nUpdate the system databases:\n# dconf update" - } + "descs": {} }, "V-77821": { "tags": { - "check_id": "C-77439r11_chk", - "severity": "medium", - "gid": "V-77821", - "rid": "SV-92517r3_rule", - "stig_id": "RHEL-07-020101", - "gtitle": "SRG-OS-000378-GPOS-00163", - "fix_id": "F-84521r3_fix", - "cci": [ - "CCI-001958" - ], - "nist": [ - "IA-3" - ] + "check_id__added": "C-77439r11_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-77821" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.", - "desc": "[\"Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system disables the ability to load the DCCP kernel module.\n\n# grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall dccp /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the DCCP kernel module.\n\nCheck to see if the DCCP kernel module is disabled with the following command:\n\n# grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n\nblacklist dccp\n\nIf the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the DCCP kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/dccp.conf\n\nAdd the following line to the created file:\n\ninstall dccp /bin/true\n\nEnsure that the DCCP module is blacklisted: \n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist dccp" - } + "descs": {} }, "V-77823": { "tags": { - "check_id": "C-77441r2_chk", - "severity": "medium", - "gid": "V-77823", - "rid": "SV-92519r2_rule", - "stig_id": "RHEL-07-010481", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-84523r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-77441r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-77823" - ], - "title": "The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system must require authentication upon booting into single-user and maintenance modes.\n\nCheck that the operating system requires authentication upon booting into single-user mode with the following command:\n\n# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n\nIf \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.", - "fix": "Configure the operating system to require authentication upon booting into single-user and maintenance modes.\n\nAdd or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" - } + "descs": {} }, "V-77825": { "tags": { - "check_id": "C-77449r3_chk", - "severity": "medium", - "gid": "V-77825", - "rid": "SV-92521r2_rule", - "stig_id": "RHEL-07-040201", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-84531r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-77449r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-77825" - ], - "title": "The Red Hat Enterprise Linux operating system must implement virtual address space randomization.", - "desc": "[\"Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system implements virtual address space randomization.\n\n# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n# /sbin/sysctl -a | grep kernel.randomize_va_space \n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.", - "fix": "Configure the operating system implement virtual address space randomization.\n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nkernel.randomize_va_space = 2\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-78995": { "tags": { - "check_id": "C-78583r1_chk", - "severity": "medium", - "gid": "V-78995", - "rid": "SV-93701r3_rule", - "stig_id": "RHEL-07-010062", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-85745r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-78583r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-78995" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.\\nfalse\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock-enabled setting:\n\n/org/gnome/desktop/screensaver/lock-enabled" - } + "descs": {} }, "V-78997": { "tags": { - "check_id": "C-78585r1_chk", - "severity": "medium", - "gid": "V-78997", - "rid": "SV-93703r2_rule", - "stig_id": "RHEL-07-010101", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-85747r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-78585r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-78997" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false\"]", "impact": 0.5, - "descs": { - "check": "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver idle-activation-enabled setting:\n\n/org/gnome/desktop/screensaver/idle-activation-enabled" - } + "descs": {} }, "V-78999": { "tags": { - "check_id": "C-78587r3_chk", - "severity": "medium", - "gid": "V-78999", - "rid": "SV-93705r3_rule", - "stig_id": "RHEL-07-030819", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-85749r4_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-78587r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-78999" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw create_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-79001": { "tags": { - "check_id": "C-78589r3_chk", - "severity": "medium", - "gid": "V-79001", - "rid": "SV-93707r3_rule", - "stig_id": "RHEL-07-030821", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-85751r3_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-78589r3_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-79001" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw finit_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"finit_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." - } + "descs": {} }, "V-81003": { "tags": { - "check_id": "C-80717r1_chk", - "severity": "medium", - "gid": "V-81003", - "rid": "SV-95715r1_rule", - "stig_id": "RHEL-07-010118", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-87837r1_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-80717r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81003" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.", - "desc": "[\"Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n\n# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\npassword substack system-auth\n\nIf no results are returned, the line is commented out, this is a finding.", - "fix": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n\nAdd the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n\npassword substack system-auth" - } + "descs": {} }, "V-81005": { "tags": { - "check_id": "C-80719r2_chk", - "severity": "high", - "gid": "V-81005", - "rid": "SV-95717r1_rule", - "stig_id": "RHEL-07-010482", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-87839r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-80719r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81005" - ], - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.7, - "descs": { - "check": "For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -iw grub2_password /boot/grub2/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/grub2/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" - } + "descs": {} }, "V-81007": { "tags": { - "check_id": "C-80721r2_chk", - "severity": "high", - "gid": "V-81007", - "rid": "SV-95719r1_rule", - "stig_id": "RHEL-07-010491", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-87841r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-80721r2_chk", + "documentable__added": false, + "severity": "high" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81007" - ], - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", "impact": 0.7, - "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" - } + "descs": {} }, "V-81009": { "tags": { - "check_id": "C-80723r2_chk", - "severity": "low", - "gid": "V-81009", - "rid": "SV-95721r2_rule", - "stig_id": "RHEL-07-021022", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87843r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80723r2_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-81009" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.", - "desc": "[\"The \\\"nodev\\\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that the \"nodev\" option is configured for /dev/shm:\n\n\n# cat /etc/fstab | grep /dev/shm\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nodev\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n# mount | grep \"/dev/shm\" | grep nodev\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\" option." - } + "descs": {} }, "V-81011": { "tags": { - "check_id": "C-80725r2_chk", - "severity": "low", - "gid": "V-81011", - "rid": "SV-95723r2_rule", - "stig_id": "RHEL-07-021023", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87845r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80725r2_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81011" - ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that the \"nosuid\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nosuid\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n# mount | grep \"/dev/shm\" | grep nosuid\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nosuid\" option." - } + "descs": {} }, "V-81013": { "tags": { - "check_id": "C-80727r2_chk", - "severity": "low", - "gid": "V-81013", - "rid": "SV-95725r2_rule", - "stig_id": "RHEL-07-021024", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87847r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80727r2_chk", + "documentable__added": false, + "severity": "low" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-81013" + "DPMS Target Red Hat 7" ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.", - "desc": "[\"The \\\"noexec\\\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, - "descs": { - "check": "Verify that the \"noexec\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"noexec\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n# mount | grep \"/dev/shm\" | grep noexec\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"noexec\" option." - } + "descs": {} }, "V-81015": { "tags": { - "check_id": "C-80729r1_chk", - "severity": "medium", - "gid": "V-81015", - "rid": "SV-95727r1_rule", - "stig_id": "RHEL-07-030200", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87849r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80729r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81015" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWithout the configuration of the \\\"au-remote\\\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the \"au-remote\" plugin is active on the system:\n\n# grep \"active\" /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf the \"active\" setting is not set to \"yes\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\".\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" - } + "descs": {} }, "V-81017": { "tags": { - "check_id": "C-80731r2_chk", - "severity": "medium", - "gid": "V-81017", - "rid": "SV-95729r1_rule", - "stig_id": "RHEL-07-030201", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87851r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80731r2_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81017" - ], - "title": "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWithout the configuration of the \\\"au-remote\\\" plugin, the audisp-remote daemon will not off load the logs from the system being audited.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon:\n\n# cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\nformat = string\n\nIf the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding.\n\nIf the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding.\n\nIf the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" - } + "descs": {} }, "V-81019": { "tags": { - "check_id": "C-80735r1_chk", - "severity": "medium", - "gid": "V-81019", - "rid": "SV-95731r1_rule", - "stig_id": "RHEL-07-030210", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87853r3_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80735r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81019" - ], - "title": "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWhen the remote buffer is full, audit logs will not be collected and sent to the central log server.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:\n\n# grep \"overflow_action\" /etc/audisp/audispd.conf\n\noverflow_action = syslog\n\nIf the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n\noverflow_action = syslog\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" - } + "descs": {} }, "V-81021": { "tags": { - "check_id": "C-80737r1_chk", - "severity": "medium", - "gid": "V-81021", - "rid": "SV-95733r1_rule", - "stig_id": "RHEL-07-030211", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87855r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80737r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-81021" - ], - "title": "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWhen audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n\n# grep \"name_format\" /etc/audisp/audispd.conf\n\nname_format = hostname\n\nIf the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n\nname_format = hostname\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" - } + "descs": {} }, "V-92251": { "tags": { - "check_id": "C-91431r1_chk", - "severity": "medium", - "gid": "V-92251", - "rid": "SV-102353r1_rule", - "stig_id": "RHEL-07-040611", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-98473r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-91431r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-92251" - ], - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.", - "desc": "[\"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-92253": { "tags": { - "check_id": "C-91433r1_chk", - "severity": "medium", - "gid": "V-92253", - "rid": "SV-102355r1_rule", - "stig_id": "RHEL-07-040612", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-98475r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-91433r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-92253" - ], - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.", - "desc": "[\"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\nnet.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" - } + "descs": {} }, "V-92255": { "tags": { - "check_id": "C-91435r1_chk", - "severity": "medium", - "gid": "V-92255", - "rid": "SV-102357r1_rule", - "stig_id": "RHEL-07-020019", - "gtitle": "SRG-OS-000196", - "fix_id": "F-98477r1_fix", - "cci": [ - "CCI-001263" - ], - "nist": [ - "SI-4 (5)" - ] + "check_id__added": "C-91435r1_chk", + "documentable__added": false, + "severity": "medium" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] + "DPMS Target Red Hat 7" ], - "id": [ - "V-92255" - ], - "title": "The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.", - "desc": "[\"Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.false\"]", - "impact": 0.5, - "descs": { - "check": "Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080, the preferred intrusion detection system is McAfee HBSS available through the U.S. Cyber Command (USCYBERCOM).\n\nIf another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i “hipclient”\n\nIf the MFEhiplsm package is not installed, check for another intrusion detection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine if the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the system, this is a finding.", - "fix": "Install and enable the latest McAfee HIPS package, available from USCYBERCOM.\n\nNote: If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." - } + "descs": {} }, "V-94843": { "tags": { - "check_id": "C-94039r3_chk", + "check_id__added": "C-94039r3_chk", + "documentable__added": false, "severity": "high", - "gid": "V-94843", "rid": "SV-104673r2_rule", - "stig_id": "RHEL-07-020231", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-100967r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "fix_id": "F-100967r2_fix" }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-94843" + "DPMS Target Red Hat 7" ], "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.", - "desc": "[\"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false\"]", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.", "impact": 0.7, "descs": { "check": "Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf \"logout\" is not set to use two single quotations, or is missing, this is a finding.", "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:\n\n# touch /etc/dconf/db/local.d/00-disable-CAD \n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''" } } - }, - "changedControls": {} + } }, "rawDiff": { "addedControlIDs": [ - [ - "V-100023" - ], - [ - "V-71849" - ], - [ - "V-71855" - ], - [ - "V-71859" - ], - [ - "V-71861" - ], - [ - "V-71863" - ], - [ - "V-71891" - ], - [ - "V-71893" - ], - [ - "V-71897" - ], - [ - "V-71899" - ], - [ - "V-71901" - ], - [ - "V-71903" - ], - [ - "V-71905" - ], - [ - "V-71907" - ], - [ - "V-71909" - ], - [ - "V-71911" - ], - [ - "V-71913" - ], - [ - "V-71915" - ], - [ - "V-71917" - ], - [ - "V-71919" - ], - [ - "V-71921" - ], - [ - "V-71923" - ], - [ - "V-71925" - ], - [ - "V-71927" - ], - [ - "V-71929" - ], - [ - "V-71931" - ], - [ - "V-71933" - ], - [ - "V-71935" - ], - [ - "V-71937" - ], - [ - "V-71939" - ], - [ - "V-71941" - ], - [ - "V-71943" - ], - [ - "V-71945" - ], - [ - "V-71947" - ], - [ - "V-71949" - ], - [ - "V-71951" - ], - [ - "V-71953" - ], - [ - "V-71955" - ], - [ - "V-71957" - ], - [ - "V-71959" - ], - [ - "V-71961" - ], - [ - "V-71963" - ], - [ - "V-71965" - ], - [ - "V-71967" - ], - [ - "V-71969" - ], - [ - "V-71971" - ], - [ - "V-71973" - ], - [ - "V-71975" - ], - [ - "V-71977" - ], - [ - "V-71979" - ], - [ - "V-71983" - ], - [ - "V-71985" - ], - [ - "V-71987" - ], - [ - "V-71989" - ], - [ - "V-71991" - ], - [ - "V-71993" - ], - [ - "V-71995" - ], - [ - "V-71997" - ], - [ - "V-71999" - ], - [ - "V-72001" - ], - [ - "V-72003" - ], - [ - "V-72005" - ], - [ - "V-72007" - ], - [ - "V-72009" - ], - [ - "V-72011" - ], - [ - "V-72013" - ], - [ - "V-72015" - ], - [ - "V-72017" - ], - [ - "V-72019" - ], - [ - "V-72021" - ], - [ - "V-72023" - ], - [ - "V-72025" - ], - [ - "V-72027" - ], - [ - "V-72029" - ], - [ - "V-72031" - ], - [ - "V-72033" - ], - [ - "V-72035" - ], - [ - "V-72037" - ], - [ - "V-72039" - ], - [ - "V-72041" - ], - [ - "V-72043" - ], - [ - "V-72045" - ], - [ - "V-72047" - ], - [ - "V-72049" - ], - [ - "V-72051" - ], - [ - "V-72053" - ], - [ - "V-72055" - ], - [ - "V-72057" - ], - [ - "V-72059" - ], - [ - "V-72061" - ], - [ - "V-72063" - ], - [ - "V-72065" - ], - [ - "V-72067" - ], - [ - "V-72069" - ], - [ - "V-72071" - ], - [ - "V-72073" - ], - [ - "V-72075" - ], - [ - "V-72077" - ], - [ - "V-72079" - ], - [ - "V-72081" - ], - [ - "V-72083" - ], - [ - "V-72085" - ], - [ - "V-72087" - ], - [ - "V-72089" - ], - [ - "V-72091" - ], - [ - "V-72093" - ], - [ - "V-72095" - ], - [ - "V-72097" - ], - [ - "V-72099" - ], - [ - "V-72101" - ], - [ - "V-72103" - ], - [ - "V-72105" - ], - [ - "V-72107" - ], - [ - "V-72109" - ], - [ - "V-72111" - ], - [ - "V-72113" - ], - [ - "V-72115" - ], - [ - "V-72117" - ], - [ - "V-72119" - ], - [ - "V-72121" - ], - [ - "V-72123" - ], - [ - "V-72125" - ], - [ - "V-72127" - ], - [ - "V-72129" - ], - [ - "V-72131" - ], - [ - "V-72133" - ], - [ - "V-72135" - ], - [ - "V-72137" - ], - [ - "V-72139" - ], - [ - "V-72141" - ], - [ - "V-72145" - ], - [ - "V-72147" - ], - [ - "V-72149" - ], - [ - "V-72151" - ], - [ - "V-72153" - ], - [ - "V-72155" - ], - [ - "V-72157" - ], - [ - "V-72159" - ], - [ - "V-72161" - ], - [ - "V-72163" - ], - [ - "V-72165" - ], - [ - "V-72167" - ], - [ - "V-72171" - ], - [ - "V-72173" - ], - [ - "V-72175" - ], - [ - "V-72177" - ], - [ - "V-72179" - ], - [ - "V-72183" - ], - [ - "V-72185" - ], - [ - "V-72187" - ], - [ - "V-72189" - ], - [ - "V-72191" - ], - [ - "V-72197" - ], - [ - "V-72199" - ], - [ - "V-72201" - ], - [ - "V-72203" - ], - [ - "V-72205" - ], - [ - "V-72207" - ], - [ - "V-72209" - ], - [ - "V-72211" - ], - [ - "V-72213" - ], - [ - "V-72217" - ], - [ - "V-72219" - ], - [ - "V-72221" - ], - [ - "V-72223" - ], - [ - "V-72225" - ], - [ - "V-72227" - ], - [ - "V-72229" - ], - [ - "V-72231" - ], - [ - "V-72233" - ], - [ - "V-72235" - ], - [ - "V-72237" - ], - [ - "V-72239" - ], - [ - "V-72241" - ], - [ - "V-72243" - ], - [ - "V-72245" - ], - [ - "V-72247" - ], - [ - "V-72249" - ], - [ - "V-72251" - ], - [ - "V-72253" - ], - [ - "V-72255" - ], - [ - "V-72257" - ], - [ - "V-72259" - ], - [ - "V-72261" - ], - [ - "V-72263" - ], - [ - "V-72265" - ], - [ - "V-72267" - ], - [ - "V-72269" - ], - [ - "V-72273" - ], - [ - "V-72275" - ], - [ - "V-72277" - ], - [ - "V-72279" - ], - [ - "V-72281" - ], - [ - "V-72283" - ], - [ - "V-72285" - ], - [ - "V-72287" - ], - [ - "V-72289" - ], - [ - "V-72291" - ], - [ - "V-72293" - ], - [ - "V-72295" - ], - [ - "V-72297" - ], - [ - "V-72299" - ], - [ - "V-72301" - ], - [ - "V-72303" - ], - [ - "V-72305" - ], - [ - "V-72307" - ], - [ - "V-72309" - ], - [ - "V-72311" - ], - [ - "V-72313" - ], - [ - "V-72315" - ], - [ - "V-72317" - ], - [ - "V-72319" - ], - [ - "V-72417" - ], - [ - "V-72427" - ], - [ - "V-72433" - ], - [ - "V-73155" - ], - [ - "V-73157" - ], - [ - "V-73159" - ], - [ - "V-73161" - ], - [ - "V-73163" - ], - [ - "V-73165" - ], - [ - "V-73167" - ], - [ - "V-73171" - ], - [ - "V-73173" - ], - [ - "V-73175" - ], - [ - "V-73177" - ], - [ - "V-77819" - ], - [ - "V-77821" - ], - [ - "V-77823" - ], - [ - "V-77825" - ], - [ - "V-78995" - ], - [ - "V-78997" - ], - [ - "V-78999" - ], - [ - "V-79001" - ], - [ - "V-81003" - ], - [ - "V-81005" - ], - [ - "V-81007" - ], - [ - "V-81009" - ], - [ - "V-81011" - ], - [ - "V-81013" - ], - [ - "V-81015" - ], - [ - "V-81017" - ], - [ - "V-81019" - ], - [ - "V-81021" - ], - [ - "V-92251" - ], - [ - "V-92253" - ], - [ - "V-92255" - ], - [ - "V-94843" - ] + "V-100023" ], - "removedControlIDs": [ + "removedControlIDs": [], + "renamedControlIDs": {}, + "changedControlIDs": [ "V-71849", "V-71855", "V-71859", @@ -10229,8 +3423,6 @@ "V-92255", "V-94843" ], - "renamedControlIDs": {}, - "changedControlIDs": [], "addedControls": { "V-100023": { "tags": { @@ -10241,6 +3433,12 @@ "stig_id": "RHEL-07-020111", "gtitle": "SRG-OS-000114-GPOS-00059", "fix_id": "F-105707r1_fix", + "satisfies": [ + "SRG-OS-000114-GPOS-00059", + "SRG-OS-000378-GPOS-00163", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, "cci": [ "CCI-000366", "CCI-000778", @@ -10253,8218 +3451,9770 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-100023" + "DPMS Target Red Hat 7" ], + "id": "V-100023", "title": "The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.", - "desc": "[\"Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", + "desc": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system disables the ability to automount devices in a graphical user interface.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCheck to see if automounter service is disabled with the following commands:\n# cat /etc/dconf/db/local.d/00-No-Automount\n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nIf the output does not match the example above, this is a finding.\n\n# cat /etc/dconf/db/local.d/locks/00-No-Automount\n\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\nIf the output does not match the example, this is a finding.", "fix": "Configure the graphical user interface to disable the ability to automount devices.\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\nCreate or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: \n\n[org/gnome/desktop/media-handling]\n\nautomount=false\n\nautomount-open=false\n\nautorun-never=true\n\nCreate or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:\n/org/gnome/desktop/media-handling/automount\n\n/org/gnome/desktop/media-handling/automount-open\n\n/org/gnome/desktop/media-handling/autorun-never\n\nRun the following command to update the database:\n\n# dconf update" } - }, + } + }, + "changedControls": { "V-71849": { + "describe__deleted": " rpm_verify_perms_except = input('rpm_verify_perms_except')\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long time to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n describe command(\"rpm -Va | grep '^.M' | awk 'NF>1{print $NF}'\").stdout.strip.split(\"\\n\") do\n it { should all(be_in rpm_verify_perms_except) }\n end\n end", "tags": { - "check_id": "C-72081r8_chk", - "severity": "high", - "gid": "V-71849", - "rid": "SV-86473r4_rule", - "stig_id": "RHEL-07-010010", - "gtitle": "SRG-OS-000257-GPOS-00098", - "fix_id": "F-78201r4_fix", - "cci": [ - "CCI-001494", - "CCI-001496", - "CCI-002165", - "CCI-002235" - ], - "nist": [ - "AU-9", - "AU-9 (3)", - "AC-3 (4)", - "AC-6 (10)" - ] + "check_id__added": "C-72081r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71849" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.", - "desc": "[\"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.\\n\\nSatisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the file permissions, ownership, and group membership of system files and\ncommands match the vendor values.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." + }, + "desc": { + "__old": "Discretionary access control is weakened if a user or group has access\npermissions to system files and directories greater than the default.", + "__new": "Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.\n\n" + }, "descs": { - "check": "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n# for i in `rpm -Va | egrep -i '^\\.[M|U|G|.]{8}' | cut -d \" \" -f4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f1,5,6,7 | grep $i;done;done\n\n/var/log/gdm 040755 root root\n/etc/audisp/audisp-remote.conf 0100640 root root\n/usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n# ls -la \n\n-rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nReset the user and group ownership of files within a package with the following command:\n\n#rpm --setugids \n\n\nReset the permissions of files within a package with the following command:\n\n#rpm --setperms " + "default__deleted": "Discretionary access control is weakened if a user or group has access\npermissions to system files and directories greater than the default.", + "rationale__deleted": "", + "check": { + "__old": "Verify the file permissions, ownership, and group membership of system\nfiles and commands match the vendor values.\n\n Check the default file permissions, ownership, and group membership of\nsystem files and commands with the following command:\n\n # for i in `rpm -Va | egrep -i '^\\.[M|U|G|.]{8}' | cut -d \" \" -f4,5`;do\nfor j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f1,5,6,7 | grep\n$i;done;done\n\n /var/log/gdm 040755 root root\n /etc/audisp/audisp-remote.conf 0100640 root root\n /usr/bin/passwd 0104755 root root\n\n For each file returned, verify the current permissions, ownership, and\ngroup membership:\n # ls -la \n\n -rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf\n\n If the file is more permissive than the default permissions, this is a\nfinding.\n\n If the file is not owned by the default owner and is not documented with\nthe Information System Security Officer (ISSO), this is a finding.\n\n If the file is not a member of the default group and is not documented with\nthe Information System Security Officer (ISSO), this is a finding.", + "__new": "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.\n\nCheck the default file permissions, ownership, and group membership of system files and commands with the following command:\n\n# for i in `rpm -Va | egrep -i '^\\.[M|U|G|.]{8}' | cut -d \" \" -f4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d \" \" -f1,5,6,7 | grep $i;done;done\n\n/var/log/gdm 040755 root root\n/etc/audisp/audisp-remote.conf 0100640 root root\n/usr/bin/passwd 0104755 root root\n\nFor each file returned, verify the current permissions, ownership, and group membership:\n# ls -la \n\n-rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf\n\nIf the file is more permissive than the default permissions, this is a finding.\n\nIf the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.\n\nIf the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding." + }, + "fix": { + "__old": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n Reset the user and group ownership of files within a package with the\nfollowing command:\n\n #rpm --setugids \n\n\n Reset the permissions of files within a package with the following command:\n\n #rpm --setperms ", + "__new": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nReset the user and group ownership of files within a package with the following command:\n\n#rpm --setugids \n\n\nReset the permissions of files within a package with the following command:\n\n#rpm --setperms " + } } }, "V-71855": { + "describe__deleted": "rpm_verify_integrity_except = input('rpm_verify_integrity_except')\n\nif input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n # grep excludes files that are marked with 'c' attribute (config files)\n describe command(\"rpm -Va | grep '^..5' | grep -E -v '[a-z]*c[a-z]*\\\\s+\\\\S+$' | awk 'NF>1{print $NF}'\").\n stdout.strip.split(\"\\n\") do\n it { should all(be_in rpm_verify_integrity_except) }\n end\n end", "tags": { - "check_id": "C-72087r3_chk", - "severity": "high", - "gid": "V-71855", - "rid": "SV-86479r4_rule", - "stig_id": "RHEL-07-010020", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78207r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72087r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71855" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.", - "desc": "[\"Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the cryptographic hash of system files and commands matches vendor values.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + }, + "desc": { + "__old": "Without cryptographic integrity protections, system command and files\ncan be altered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "__new": "Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash." + }, "descs": { - "check": "Verify the cryptographic hash of system files and commands match the vendor values.\n\nCheck the cryptographic hash of system files and commands with the following command:\n\nNote: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.\n\n# rpm -Va --noconfig | grep '^..5'\n\nIf there is any output from the command for system files or binaries, this is a finding.", - "fix": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " + "default__deleted": "Without cryptographic integrity protections, system command and files\ncan be altered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "rationale__deleted": "", + "check": { + "__old": "Verify the cryptographic hash of system files and commands match the vendor\nvalues.\n\n Check the cryptographic hash of system files and commands with the\nfollowing command:\n\n Note: System configuration files (indicated by a \"c\" in the second\ncolumn) are expected to change over time. Unusual modifications should be\ninvestigated through the system audit log.\n\n # rpm -Va --noconfig | grep '^..5'\n\n If there is any output from the command for system files or binaries, this\nis a finding.", + "__new": "Verify the cryptographic hash of system files and commands match the vendor values.\n\nCheck the cryptographic hash of system files and commands with the following command:\n\nNote: System configuration files (indicated by a \"c\" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.\n\n# rpm -Va --noconfig | grep '^..5'\n\nIf there is any output from the command for system files or binaries, this is a finding." + }, + "fix": { + "__old": "Run the following command to determine which package owns the file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh ", + "__new": "Run the following command to determine which package owns the file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " + } } }, "V-71859": { + "describe__deleted": " if package('gnome-desktop3').installed?\n if !input('dconf_user').nil? and command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u input('dconf_user') dconf read /org/gnome/login-screen/banner-message-enable\") do\n its('stdout.strip') { should cmp input('banner_message_enabled').to_s }\n end\n else\n describe command(\"dconf read /org/gnome/login-screen/banner-message-enable\") do\n its('stdout.strip') { should cmp input('banner_message_enabled').to_s }\n end\n end\n else\n impact 0.0\n describe \"The GNOME desktop is not installed\" do \n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72091r5_chk", - "severity": "medium", - "gid": "V-71859", - "rid": "SV-86483r4_rule", - "stig_id": "RHEL-07-010030", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78211r4_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id__added": "C-72091r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71859" - ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the\nStandard Mandatory DoD Notice and Consent Banner before granting local or\nremote access to the system via a graphical user logon.", + "__new": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." + }, + "desc": { + "__old": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "__new": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n# grep banner-message-enable /etc/dconf/db/local.d/*\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\nbanner-message-enable=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + "default__deleted": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system displays the Standard Mandatory DoD Notice and\nConsent Banner before granting access to the operating system via a graphical\nuser logon.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Check to see if the operating system displays a banner at the logon screen\nwith the following command:\n\n # grep banner-message-enable /etc/dconf/db/local.d/*\n banner-message-enable=true\n\n If \"banner-message-enable\" is set to \"false\" or is missing, this is a\nfinding.", + "__new": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n# grep banner-message-enable /etc/dconf/db/local.d/*\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to display the Standard Mandatory DoD Notice\nand Consent Banner before granting access to the system.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n\n # touch /etc/dconf/db/local.d/01-banner-message\n\n Add the following line to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n\n [org/gnome/login-screen]\n banner-message-enable=true\n\n Update the system databases:\n\n # dconf update\n\n Users must log out and back in again before the system-wide settings take\neffect.", + "__new": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\nbanner-message-enable=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + } } }, "V-71861": { + "describe__deleted": " if package('gnome-desktop3').installed?\n #Get all files that have the banner-message-text specified.\n banner_files =\n command(\"grep -l banner-message-text /etc/dconf/db/local.d/*\").stdout.split(\"\\n\")\n #If there are no banner files then this is a finding.\n banner_missing = banner_files.empty?\n describe \"If no files specify the banner text then this is a finding\" do\n subject { banner_missing }\n it{should be false}\n end if banner_missing\n #If there are banner files then check them to make sure they have the correct text.\n banner_files.each do |banner_file|\n banner_message =\n parse_config_file(banner_file).params(\"org/gnome/login-screen\",\"banner-message-text\").gsub(%r{[\\r\\n\\s]}, '')\n #dconf expects the banner-message-text to be quoted so remove leading and trailing quote.\n #See https://developer.gnome.org/dconf/unstable/dconf-tool.html which states:\n # VALUE arguments must be in GVariant format, so e.g. a string must include\n # explicit quotes: \"'foo'\". This format is also used when printing out values.\n if banner_message.start_with?('\"') || banner_message.start_with?('\\'')\n banner_message = banner_message[1,banner_message.length]\n end\n if banner_message.end_with?('\"') || banner_message.end_with?('\\'')\n banner_message = banner_message.chop\n end\n banner_message.gsub!('\\\\n', '')\n foo = input('banner_message_text_gui');\n foo2 = input('banner_message_text_gui_limited');\n describe.one do\n describe banner_message do\n it{should cmp foo.gsub(%r{[\\r\\n\\s]}, '')}\n end\n describe banner_message do\n it{should cmp foo2.gsub(%r{[\\r\\n\\s]}, '')}\n end\n end\n end\n else\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end", "tags": { - "check_id": "C-72093r5_chk", - "severity": "medium", - "gid": "V-71861", - "rid": "SV-86485r5_rule", - "stig_id": "RHEL-07-010040", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78213r6_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id__added": "C-72093r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-86485r4_rule", + "__new": "SV-86485r5_rule" + }, + "fix_id": { + "__old": "F-78213r5_fix", + "__new": "F-78213r6_fix" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71861" - ], - "title": "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy.\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the\napproved Standard Mandatory DoD Notice and Consent Banner before granting local\nor remote access to the system via a graphical user logon.", + "__new": "The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." + }, + "desc": { + "__old": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "__new": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy.\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n# grep banner-message-text /etc/dconf/db/local.d/*\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n\nIf the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n\nRun the following command to update the database:\n# dconf update" + "default__deleted": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system displays the approved Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a\ngraphical user logon.\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n Check that the operating system displays the exact approved Standard\nMandatory DoD Notice and Consent Banner text with the command:\n # grep banner-message-text /etc/dconf/db/local.d/*\n banner-message-text=\n 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details. '\n Note: The \" \" characters are for formatting only. They will not be displayed on the\nGUI.\n If the banner does not match the approved Standard Mandatory DoD Notice and\nConsent Banner, this is a finding.", + "__new": "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n# grep banner-message-text /etc/dconf/db/local.d/*\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n\nIf the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to display the approved Standard Mandatory\nDoD Notice and Consent Banner before granting access to the system.\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n Create a database to contain the system-wide graphical user logon settings\n(if it does not already exist) with the following command:\n # touch /etc/dconf/db/local.d/01-banner-message\n Add the following line to the [org/gnome/login-screen] section of the\n\"/etc/dconf/db/local.d/01-banner-message\":\n [org/gnome/login-screen]\n banner-message-enable=true\n banner-message-text='You are accessing a U.S. Government (USG) Information\nSystem (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details. '\n Note: The \" \" characters are for formatting only. They will not be displayed on the\nGUI.\n Run the following command to update the database:\n # dconf update", + "__new": "Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following line to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the Graphical User Interface.\n\nRun the following command to update the database:\n# dconf update" + } } }, "V-71863": { + "describe__deleted": " banner_message_text_cli = input('banner_message_text_cli')\n banner_message_text_cli_limited = input('banner_message_text_cli_limited')\n\n clean_banner = banner_message_text_cli.gsub(%r{[\\r\\n\\s]}, '')\n clean_banner_limited = banner_message_text_cli_limited.gsub(%r{[\\r\\n\\s]}, '')\n banner_file = file(\"/etc/issue\")\n banner_missing = !banner_file.exist?\n\n describe \"The banner text is not set because /etc/issue does not exist\" do\n subject { banner_missing }\n it { should be false }\n end if banner_missing\n\n banner_message = banner_file.content.gsub(%r{[\\r\\n\\s]}, '')\n describe.one do\n describe \"The banner text should match the standard banner\" do\n subject { banner_message }\n it { should cmp clean_banner }\n end\n describe \"The banner text should match the limited banner\" do\n subject { banner_message }\n it{should cmp clean_banner_limited }\n end\n end if !banner_missing", "tags": { - "check_id": "C-72097r1_chk", - "severity": "medium", - "gid": "V-71863", - "rid": "SV-86487r3_rule", - "stig_id": "RHEL-07-010050", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78217r2_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id__added": "C-72097r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71863" - ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the\nStandard Mandatory DoD Notice and Consent Banner before granting local or\nremote access to the system via a command line user logon.", + "__new": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." + }, + "desc": { + "__old": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "__new": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n" + }, "descs": { - "check": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck to see if the operating system displays a banner at the command line logon screen with the following command:\n\n# more /etc/issue\n\nThe command should return the following text:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the \"/etc/issue\" file.\n\nReplace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"" + "default__deleted": "Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system displays the Standard Mandatory DoD Notice and\nConsent Banner before granting access to the operating system via a command\nline user logon.\n\n Check to see if the operating system displays a banner at the command line\nlogon screen with the following command:\n\n # more /etc/issue\n\n The command should return the following text:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n If the operating system does not display a graphical logon banner or the\nbanner does not match the Standard Mandatory DoD Notice and Consent Banner,\nthis is a finding.\n\n If the text in the \"/etc/issue\" file does not match the Standard\nMandatory DoD Notice and Consent Banner, this is a finding.", + "__new": "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck to see if the operating system displays a banner at the command line logon screen with the following command:\n\n# more /etc/issue\n\nThe command should return the following text:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to display the Standard Mandatory DoD Notice\nand Consent Banner before granting access to the system via the command line by\nediting the \"/etc/issue\" file.\n\n Replace the default text with the Standard Mandatory DoD Notice and Consent\nBanner. The DoD required text is:\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "__new": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the \"/etc/issue\" file.\n\nReplace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"" + } } }, "V-71891": { + "describe__deleted": " if package('gnome-desktop3').installed?\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end\n else\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end", "tags": { - "check_id": "C-72123r2_chk", - "severity": "medium", - "gid": "V-71891", - "rid": "SV-86515r6_rule", - "stig_id": "RHEL-07-010060", - "gtitle": "SRG-OS-000028-GPOS-00009", - "fix_id": "F-78243r9_fix", - "cci": [ - "CCI-000056" - ], - "nist": [ - "AC-11 b" - ] + "check_id__added": "C-72123r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71891" - ], - "title": "The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\\n\\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must enable a user\nsession lock until that user re-establishes access using established\nidentification and authentication procedures.", + "__new": "The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures." + }, + "desc": { + "__old": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", + "__new": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n# grep -i lock-enabled /etc/dconf/db/local.d/*\nlock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n\n# Set this to true to lock the screen when the screensaver activates\nlock-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + "default__deleted": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n Regardless of where the session lock is determined and implemented, once\ninvoked, the session lock must remain in place until the user reauthenticates.\nNo other activity aside from reauthentication must unlock the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enables a user's session lock until that user\nre-establishes access using established identification and authentication\nprocedures. The screen program must be installed to lock sessions on the\nconsole.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Check to see if the screen lock is enabled with the following command:\n\n # grep -i lock-enabled /etc/dconf/db/local.d/*\n lock-enabled=true\n\n If the \"lock-enabled\" setting is missing or is not set to \"true\", this\nis a finding.", + "__new": "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if the screen lock is enabled with the following command:\n\n# grep -i lock-enabled /etc/dconf/db/local.d/*\nlock-enabled=true\n\nIf the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enable a user's session lock until that\nuser re-establishes access using established identification and authentication\nprocedures.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following example:\n\n # touch /etc/dconf/db/local.d/00-screensaver\n\n Edit the \"[org/gnome/desktop/screensaver]\" section of the database file\nand add or update the following lines:\n\n # Set this to true to lock the screen when the screensaver activates\n lock-enabled=true\n\n Update the system databases:\n\n # dconf update\n\n Users must log out and back in again before the system-wide settings take\neffect.", + "__new": "Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit the \"[org/gnome/desktop/screensaver]\" section of the database file and add or update the following lines:\n\n# Set this to true to lock the screen when the screensaver activates\nlock-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + } } }, "V-71893": { + "describe__deleted": " unless package('gnome-desktop3').installed?\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n else \n describe command(\"gsettings get org.gnome.desktop.session idle-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= 900 }\n end \n end", "tags": { - "check_id": "C-72125r1_chk", - "severity": "medium", - "gid": "V-71893", - "rid": "SV-86517r5_rule", - "stig_id": "RHEL-07-010070", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78245r5_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72125r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71893" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must initiate a\nscreensaver after a 15-minute period of inactivity for graphical user\ninterfaces.", + "__new": "The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces." + }, + "desc": { + "__old": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "__new": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n# grep -i idle-delay /etc/dconf/db/local.d/*\nidle-delay=uint32 900\n\nIf the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n\n[org/gnome/desktop/session]\n# Set the lock time out to 900 seconds before the session is considered idle\nidle-delay=uint32 900\n\nYou must include the \"uint32\" along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + "default__deleted": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system initiates a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces. The screen program must be\ninstalled to lock sessions on the console.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Check to see if GNOME is configured to display a screensaver after a 15\nminute delay with the following command:\n\n # grep -i idle-delay /etc/dconf/db/local.d/*\n idle-delay=uint32 900\n\n If the \"idle-delay\" setting is missing or is not set to \"900\" or less,\nthis is a finding.", + "__new": "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCheck to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:\n\n# grep -i idle-delay /etc/dconf/db/local.d/*\nidle-delay=uint32 900\n\nIf the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to initiate a screensaver after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n # touch /etc/dconf/db/local.d/00-screensaver\n\n Edit /etc/dconf/db/local.d/00-screensaver and add or update the following\nlines:\n\n [org/gnome/desktop/session]\n # Set the lock time out to 900 seconds before the session is considered idle\n idle-delay=uint32 900\n\n You must include the \"uint32\" along with the integer key values as shown.\n\n Update the system databases:\n\n # dconf update\n\n Users must log out and back in again before the system-wide settings take\neffect.", + "__new": "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nEdit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n\n[org/gnome/desktop/session]\n# Set the lock time out to 900 seconds before the session is considered idle\nidle-delay=uint32 900\n\nYou must include the \"uint32\" along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + } } }, "V-71897": { + "describe__deleted": " multiplexer_packages = input('terminal_mux_pkgs')\n\n describe.one do\n multiplexer_packages.each do |pkg| \n describe package(pkg) do\n it { should be_installed }\n end\n end\n end", "tags": { - "check_id": "C-72129r3_chk", - "severity": "medium", - "gid": "V-71897", - "rid": "SV-86521r3_rule", - "stig_id": "RHEL-07-010090", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78249r3_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72129r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71897" - ], - "title": "The Red Hat Enterprise Linux operating system must have the screen package installed.", - "desc": "[\": A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe screen and tmux packages allow for a session lock to be implemented and configured.\\nfalse\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must have the screen\npackage installed.", + "__new": "The Red Hat Enterprise Linux operating system must have the screen package installed." + }, + "desc": { + "__old": ": A session time-out lock is a temporary action taken when a user\nstops work and moves away from the immediate physical vicinity of the\ninformation system but does not log out because of the temporary nature of the\nabsence. Rather than relying on the user to manually lock their operating\nsystem session prior to vacating the vicinity, operating systems need to be\nable to identify when a user's session has idled and take action to initiate\nthe session lock.\n\n The screen and tmux packages allow for a session lock to be implemented and\nconfigured.", + "__new": ": A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe screen and tmux packages allow for a session lock to be implemented and configured." + }, "descs": { - "check": "Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n# yum list installed screen\nscreen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n#yum list installed tmux\ntmux-1.8-4.el7.x86_64.rpm \n\nIf either the screen package or the tmux package is not installed, this is a finding.", - "fix": "Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n# yum install screen \n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n#yum install tmux" + "default__deleted": ": A session time-out lock is a temporary action taken when a user\nstops work and moves away from the immediate physical vicinity of the\ninformation system but does not log out because of the temporary nature of the\nabsence. Rather than relying on the user to manually lock their operating\nsystem session prior to vacating the vicinity, operating systems need to be\nable to identify when a user's session has idled and take action to initiate\nthe session lock.\n\n The screen and tmux packages allow for a session lock to be implemented and\nconfigured.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system has the screen package installed.\n\n Check to see if the screen package is installed with the following command:\n\n # yum list installed screen\n screen-4.3.1-3-x86_64.rpm\n\n If the screen package is not installed, check to see if the tmux package is\ninstalled with the following command:\n\n #yum list installed tmux\n tmux-1.8-4.el7.x86_64.rpm\n\n If either the screen package or the tmux package is not installed, this is\na finding.", + "__new": "Verify the operating system has the screen package installed.\n\nCheck to see if the screen package is installed with the following command:\n\n# yum list installed screen\nscreen-4.3.1-3-x86_64.rpm\n\nIf the screen package is not installed, check to see if the tmux package is installed with the following command:\n\n#yum list installed tmux\ntmux-1.8-4.el7.x86_64.rpm \n\nIf either the screen package or the tmux package is not installed, this is a finding." + }, + "fix": { + "__old": "Install the screen package to allow the initiation of a session lock after\na 15-minute period of inactivity.\n\n Install the screen program (if it is not on the system) with the following\ncommand:\n\n # yum install screen\n\n OR\n\n Install the tmux program (if it is not on the system) with the following\ncommand:\n\n #yum install tmux", + "__new": "Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.\n\nInstall the screen program (if it is not on the system) with the following command:\n\n# yum install screen \n\nOR\n\nInstall the tmux program (if it is not on the system) with the following command:\n\n#yum install tmux" + } } }, "V-71899": { + "describe__deleted": " if package('gnome-desktop3').installed?\n describe command('gsettings get org.gnome.desktop.screensaver idle-activation-enabled') do\n its('stdout.strip') { should cmp 'true' }\n end \n else\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end", "tags": { - "check_id": "C-72131r4_chk", - "severity": "medium", - "gid": "V-71899", - "rid": "SV-86523r5_rule", - "stig_id": "RHEL-07-010100", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78251r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72131r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71899" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must initiate a session\nlock for the screensaver after a period of inactivity for graphical user\ninterfaces.", + "__new": "The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." + }, + "desc": { + "__old": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "__new": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n\nidle-activation-enabled=true\n\nIf \"idle-activation-enabled\" is not set to \"true\", this is a finding.", - "fix": "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable screensaver locking after 15 minutes of inactivity:\n\n[org/gnome/desktop/screensaver]\n\nidle-activation-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + "default__deleted": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system initiates a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces. The screen program must be\ninstalled to lock sessions on the console.\n\n Note: If the system does not have a Graphical User Interface installed,\nthis requirement is Not Applicable.\n\n Check for the session lock settings with the following commands:\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n\n idle-activation-enabled=true\n\n If \"idle-activation-enabled\" is not set to \"true\", this is a finding.", + "__new": "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.\n\nNote: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.\n\nCheck for the session lock settings with the following commands:\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/*\n\nidle-activation-enabled=true\n\nIf \"idle-activation-enabled\" is not set to \"true\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to initiate a session lock after a 15-minute\nperiod of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n # touch /etc/dconf/db/local.d/00-screensaver\n\n Add the setting to enable screensaver locking after 15 minutes of\ninactivity:\n\n [org/gnome/desktop/screensaver]\n\n idle-activation-enabled=true\n\n Update the system databases:\n\n # dconf update\n\n Users must log out and back in again before the system-wide settings take\neffect.", + "__new": "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable screensaver locking after 15 minutes of inactivity:\n\n[org/gnome/desktop/screensaver]\n\nidle-activation-enabled=true\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + } } }, "V-71901": { + "describe__deleted": " if package('gnome-desktop3').installed?\n describe command(\"gsettings get org.gnome.desktop.screensaver lock-delay | cut -d ' ' -f2\") do\n its('stdout.strip') { should cmp <= input('lock_delay') }\n end\n else\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end", "tags": { - "check_id": "C-72133r5_chk", - "severity": "medium", - "gid": "V-71901", - "rid": "SV-86525r3_rule", - "stig_id": "RHEL-07-010110", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-78253r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-72133r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71901" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must initiate a session\nlock for graphical user interfaces when the screensaver is activated.", + "__new": "The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated." + }, + "desc": { + "__old": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "__new": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n# grep -i lock-delay /etc/dconf/db/local.d/*\nlock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable session locking when a screensaver is activated:\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + "default__deleted": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system initiates a session lock a for graphical user\ninterfaces when the screensaver is activated.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable. The screen program must be installed to lock sessions on the\nconsole.\n\n If GNOME is installed, check to see a session lock occurs when the\nscreensaver is activated with the following command:\n\n # grep -i lock-delay /etc/dconf/db/local.d/*\n lock-delay=uint32 5\n\n If the \"lock-delay\" setting is missing, or is not set to \"5\" or less,\nthis is a finding.", + "__new": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nIf GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:\n\n# grep -i lock-delay /etc/dconf/db/local.d/*\nlock-delay=uint32 5\n\nIf the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to initiate a session lock for graphical\nuser interfaces when a screensaver is activated.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n # touch /etc/dconf/db/local.d/00-screensaver\n\n Add the setting to enable session locking when a screensaver is activated:\n\n [org/gnome/desktop/screensaver]\n lock-delay=uint32 5\n\n The \"uint32\" must be included along with the integer key values as shown.\n\n Update the system databases:\n\n # dconf update\n\n Users must log out and back in again before the system-wide settings take\neffect.", + "__new": "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\n# touch /etc/dconf/db/local.d/00-screensaver\n\nAdd the setting to enable session locking when a screensaver is activated:\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n# dconf update\n\nUsers must log out and back in again before the system-wide settings take effect." + } } }, "V-71903": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('ucredit.to_i') { should cmp < 0 }\n end", "tags": { - "check_id": "C-72135r3_chk", - "severity": "medium", - "gid": "V-71903", - "rid": "SV-86527r3_rule", - "stig_id": "RHEL-07-010120", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-78255r1_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72135r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71903" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed or new passwords are established, the new\npassword must contain at least one upper-case character.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "Note: The value to require a number of upper-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of \"ucredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the \"ucredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nucredit = -1" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "Note: The value to require a number of upper-case characters to be set is\nexpressed as a negative number in \"/etc/security/pwquality.conf\".\n\n Check the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with\nthe following command:\n\n # grep ucredit /etc/security/pwquality.conf\n ucredit = -1\n\n If the value of \"ucredit\" is not set to a negative value, this is a\nfinding.", + "__new": "Note: The value to require a number of upper-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ucredit /etc/security/pwquality.conf \nucredit = -1\n\nIf the value of \"ucredit\" is not set to a negative value, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce password complexity by requiring\nthat at least one upper-case character be used by setting the \"ucredit\"\noption.\n\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the\nline to have the required value):\n\n ucredit = -1", + "__new": "Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the \"ucredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nucredit = -1" + } } }, "V-71905": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('lcredit.to_i') { should cmp < 0 }\n end", "tags": { - "check_id": "C-72137r5_chk", - "severity": "medium", - "gid": "V-71905", - "rid": "SV-86529r5_rule", - "stig_id": "RHEL-07-010130", - "gtitle": "SRG-OS-000070-GPOS-00038", - "fix_id": "F-78257r6_fix", - "cci": [ - "CCI-000193" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72137r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71905" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed or new passwords are established, the new\npassword must contain at least one lower-case character.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "Note: The value to require a number of lower-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep lcredit /etc/security/pwquality.conf \nlcredit = -1 \n\nIf the value of \"lcredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the system to require at least one lower-case character when creating or changing a password.\n\nAdd or modify the following line \nin \"/etc/security/pwquality.conf\":\n\nlcredit = -1" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "Note: The value to require a number of lower-case characters to be set is\nexpressed as a negative number in \"/etc/security/pwquality.conf\".\n\n Check the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with\nthe following command:\n\n # grep lcredit /etc/security/pwquality.conf\n lcredit = -1\n\n If the value of \"lcredit\" is not set to a negative value, this is a\nfinding.", + "__new": "Note: The value to require a number of lower-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep lcredit /etc/security/pwquality.conf \nlcredit = -1 \n\nIf the value of \"lcredit\" is not set to a negative value, this is a finding." + }, + "fix": { + "__old": "Configure the system to require at least one lower-case character when\ncreating or changing a password.\n\n Add or modify the following line\n in \"/etc/security/pwquality.conf\":\n\n lcredit = -1", + "__new": "Configure the system to require at least one lower-case character when creating or changing a password.\n\nAdd or modify the following line \nin \"/etc/security/pwquality.conf\":\n\nlcredit = -1" + } } }, "V-71907": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('dcredit.to_i') { should cmp < 0 }\n end", "tags": { - "check_id": "C-72139r2_chk", - "severity": "medium", - "gid": "V-71907", - "rid": "SV-86531r3_rule", - "stig_id": "RHEL-07-010140", - "gtitle": "SRG-OS-000071-GPOS-00039", - "fix_id": "F-78259r1_fix", - "cci": [ - "CCI-000194" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72139r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71907" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed or new passwords are assigned, the new password\nmust contain at least one numeric character.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "Note: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep dcredit /etc/security/pwquality.conf \ndcredit = -1 \n\nIf the value of \"dcredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "Note: The value to require a number of numeric characters to be set is\nexpressed as a negative number in \"/etc/security/pwquality.conf\".\n\n Check the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with\nthe following command:\n\n # grep dcredit /etc/security/pwquality.conf\n dcredit = -1\n\n If the value of \"dcredit\" is not set to a negative value, this is a\nfinding.", + "__new": "Note: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep dcredit /etc/security/pwquality.conf \ndcredit = -1 \n\nIf the value of \"dcredit\" is not set to a negative value, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce password complexity by requiring\nthat at least one numeric character be used by setting the \"dcredit\" option.\n\n Add the following line to /etc/security/pwquality.conf (or modify the line\nto have the required value):\n\n dcredit = -1", + "__new": "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option.\n\nAdd the following line to /etc/security/pwquality.conf (or modify the line to have the required value):\n\ndcredit = -1" + } } }, "V-71909": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('ocredit.to_i') { should cmp < 0 }\n end", "tags": { - "check_id": "C-72141r1_chk", - "severity": "medium", - "gid": "V-71909", - "rid": "SV-86533r2_rule", - "stig_id": "RHEL-07-010150", - "gtitle": "SRG-OS-000266-GPOS-00101", - "fix_id": "F-78261r2_fix", - "cci": [ - "CCI-001619" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72141r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71909" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed or new passwords are established, the new\npassword must contain at least one special character.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "Verify the operating system enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of \"ocredit\" is not set to a negative value, this is a finding.", - "fix": "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nocredit = -1" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enforces password complexity by requiring that\nat least one special character be used.\n\n Note: The value to require a number of special characters to be set is\nexpressed as a negative number in \"/etc/security/pwquality.conf\".\n\n Check the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with\nthe following command:\n\n # grep ocredit /etc/security/pwquality.conf\n ocredit=-1\n\n If the value of \"ocredit\" is not set to a negative value, this is a\nfinding.", + "__new": "Verify the operating system enforces password complexity by requiring that at least one special character be used.\n\nNote: The value to require a number of special characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\".\n\nCheck the value for \"ocredit\" in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep ocredit /etc/security/pwquality.conf \nocredit=-1\n\nIf the value of \"ocredit\" is not set to a negative value, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce password complexity by requiring\nthat at least one special character be used by setting the \"ocredit\" option.\n\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the\nline to have the required value):\n\n ocredit = -1", + "__new": "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"ocredit\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nocredit = -1" + } } }, "V-71911": { + "describe__deleted": " difok = input('difok')\n\n describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('difok.to_i') { should cmp >= difok }\n end", "tags": { - "check_id": "C-72143r1_chk", - "severity": "medium", - "gid": "V-71911", - "rid": "SV-86535r2_rule", - "stig_id": "RHEL-07-010160", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78263r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72143r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71911" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed a minimum of eight of the total number of\ncharacters must be changed.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "The \"difok\" option sets the number of characters in a password that must not be present in the old password.\n\nCheck for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", this is a finding.", - "fix": "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "The \"difok\" option sets the number of characters in a password that must\nnot be present in the old password.\n\n Check for the value of the \"difok\" option in\n\"/etc/security/pwquality.conf\" with the following command:\n\n # grep difok /etc/security/pwquality.conf\n difok = 8\n\n If the value of \"difok\" is set to less than \"8\", this is a finding.", + "__new": "The \"difok\" option sets the number of characters in a password that must not be present in the old password.\n\nCheck for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep difok /etc/security/pwquality.conf \ndifok = 8\n\nIf the value of \"difok\" is set to less than \"8\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require the change of at least eight of\nthe total number of characters when passwords are changed by setting the\n\"difok\" option.\n\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the\nline to have the required value):\n\n difok = 8", + "__new": "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\ndifok = 8" + } } }, "V-71913": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('minclass.to_i') { should cmp >= 4 }\n end", "tags": { - "check_id": "C-72145r1_chk", - "severity": "medium", - "gid": "V-71913", - "rid": "SV-86537r2_rule", - "stig_id": "RHEL-07-010170", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78265r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72145r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71913" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed a minimum of four character classes must be\nchanged.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).\n\nCheck for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\", this is a finding.", - "fix": "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "The \"minclass\" option sets the minimum number of required classes of\ncharacters for the new password (digits, upper-case, lower-case, others).\n\n Check for the value of the \"minclass\" option in\n\"/etc/security/pwquality.conf\" with the following command:\n\n # grep minclass /etc/security/pwquality.conf\n minclass = 4\n\n If the value of \"minclass\" is set to less than \"4\", this is a finding.", + "__new": "The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).\n\nCheck for the value of the \"minclass\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minclass /etc/security/pwquality.conf \nminclass = 4\n\nIf the value of \"minclass\" is set to less than \"4\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require the change of at least four\ncharacter classes when passwords are changed by setting the \"minclass\" option.\n\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify\nthe line to have the required value):\n\n minclass = 4", + "__new": "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nminclass = 4" + } } }, "V-71915": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('maxrepeat.to_i') { should cmp <= 3 }\n end", "tags": { - "check_id": "C-72147r2_chk", - "severity": "medium", - "gid": "V-71915", - "rid": "SV-86539r3_rule", - "stig_id": "RHEL-07-010180", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78267r2_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72147r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71915" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed the number of repeating consecutive characters\nmust not be more than three characters.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.\n\nCheck for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\", this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "The \"maxrepeat\" option sets the maximum number of allowed same\nconsecutive characters in a new password.\n\n Check for the value of the \"maxrepeat\" option in\n\"/etc/security/pwquality.conf\" with the following command:\n\n # grep maxrepeat /etc/security/pwquality.conf\n maxrepeat = 3\n\n If the value of \"maxrepeat\" is set to more than \"3\", this is a finding.", + "__new": "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.\n\nCheck for the value of the \"maxrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxrepeat /etc/security/pwquality.conf \nmaxrepeat = 3\n\nIf the value of \"maxrepeat\" is set to more than \"3\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require the change of the number of\nrepeating consecutive characters when passwords are changed by setting the\n\"maxrepeat\" option.\n\n Add the following line to \"/etc/security/pwquality.conf conf\" (or modify\nthe line to have the required value):\n\n maxrepeat = 3", + "__new": "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf conf\" (or modify the line to have the required value):\n\nmaxrepeat = 3" + } } }, "V-71917": { + "describe__deleted": " describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('maxclassrepeat.to_i') { should cmp <= 4 }\n end", "tags": { - "check_id": "C-72149r1_chk", - "severity": "medium", - "gid": "V-71917", - "rid": "SV-86541r2_rule", - "stig_id": "RHEL-07-010190", - "gtitle": "SRG-OS-000072-GPOS-00040", - "fix_id": "F-78269r1_fix", - "cci": [ - "CCI-000195" - ], - "nist": [ - "IA-5 (1) (b)" - ] + "check_id__added": "C-72149r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71917" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\\n\\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed the number of repeating characters of the same\ncharacter class must not be more than four characters.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." + }, "descs": { - "check": "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.\n\nCheck for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding.", - "fix": "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4" + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks.\n\n Password complexity is one factor of several that determines how long it\ntakes to crack a password. The more complex the password, the greater the\nnumber of possible combinations that need to be tested before the password is\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "The \"maxclassrepeat\" option sets the maximum number of allowed same\nconsecutive characters in the same class in the new password.\n\n Check for the value of the \"maxclassrepeat\" option in\n\"/etc/security/pwquality.conf\" with the following command:\n\n # grep maxclassrepeat /etc/security/pwquality.conf\n maxclassrepeat = 4\n\n If the value of \"maxclassrepeat\" is set to more than \"4\", this is a\nfinding.", + "__new": "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.\n\nCheck for the value of the \"maxclassrepeat\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep maxclassrepeat /etc/security/pwquality.conf \nmaxclassrepeat = 4\n\nIf the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require the change of the number of\nrepeating characters of the same character class when passwords are changed by\nsetting the \"maxclassrepeat\" option.\n\n Add the following line to \"/etc/security/pwquality.conf\" conf (or modify\nthe line to have the required value):\n\n maxclassrepeat = 4", + "__new": "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option.\n\nAdd the following line to \"/etc/security/pwquality.conf\" conf (or modify the line to have the required value):\n\nmaxclassrepeat = 4" + } } }, "V-71919": { + "describe__deleted": " describe pam(\"/etc/pam.d/system-auth\") do\n its('lines') { should match_pam_rule('password sufficient pam_unix.so sha512') }\n its('lines') { should match_pam_rule('password .* pam_unix.so').all_without_args('^(md5|bigcrypt|sha256|blowfish)$') }\n end", "tags": { - "check_id": "C-72151r3_chk", - "severity": "medium", - "gid": "V-71919", - "rid": "SV-86543r3_rule", - "stig_id": "RHEL-07-010200", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78271r4_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72151r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71919" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the PAM system service is configured to store only encrypted\nrepresentations of passwords.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords." + }, + "desc": { + "__old": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "__new": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text." + }, "descs": { - "check": "Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nOutcome should look like following:\n/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nIf the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other than SHA512 to be used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + "default__deleted": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "rationale__deleted": "", + "check": { + "__old": "Verify the PAM system service is configured to store only encrypted\nrepresentations of passwords. The strength of encryption that must be used to\nhash passwords for all accounts is SHA512.\n\n Check that the system is configured to create SHA512 hashed passwords with\nthe following command:\n\n # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n Outcome should look like following:\n /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512\nshadow try_first_pass use_authtok\n /etc/pam.d/password-auth:password sufficient pam_unix.so sha512\nshadow try_first_pass use_authtok\n\n If the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\"\nconfiguration files allow for password hashes other than SHA512 to be used,\nthis is a finding.", + "__new": "Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nOutcome should look like following:\n/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok\n\nIf the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" configuration files allow for password hashes other than SHA512 to be used, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to store only SHA512 encrypted\nrepresentations of passwords.\n\n Add the following line in \"/etc/pam.d/system-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\n Add the following line in \"/etc/pam.d/password-auth\":\n pam_unix.so sha512 shadow try_first_pass use_authtok\n\n Note: Manual changes to the listed files may be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used to update\nthe configurations listed in this requirement.", + "__new": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd the following line in \"/etc/pam.d/system-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nAdd the following line in \"/etc/pam.d/password-auth\":\npam_unix.so sha512 shadow try_first_pass use_authtok\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + } } }, "V-71921": { + "describe__deleted": " describe login_defs do\n its('ENCRYPT_METHOD') { should cmp \"SHA512\" }\n end", "tags": { - "check_id": "C-72153r1_chk", - "severity": "medium", - "gid": "V-71921", - "rid": "SV-86545r2_rule", - "stig_id": "RHEL-07-010210", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78273r1_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72153r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71921" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\nuse the shadow file to store only encrypted representations of passwords.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords." + }, + "desc": { + "__old": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "__new": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text." + }, "descs": { - "check": "Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/login.defs\":\n\nENCRYPT_METHOD SHA512" + "default__deleted": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system's shadow file is configured to store only encrypted\nrepresentations of passwords. The strength of encryption that must be used to\nhash passwords for all accounts is SHA512.\n\n Check that the system is configured to create SHA512 hashed passwords with\nthe following command:\n\n # grep -i encrypt /etc/login.defs\n ENCRYPT_METHOD SHA512\n\n If the \"/etc/login.defs\" configuration file does not exist or allows for\npassword hashes other than SHA512 to be used, this is a finding.", + "__new": "Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.\n\nCheck that the system is configured to create SHA512 hashed passwords with the following command:\n\n# grep -i encrypt /etc/login.defs\nENCRYPT_METHOD SHA512\n\nIf the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to store only SHA512 encrypted\nrepresentations of passwords.\n\n Add or update the following line in \"/etc/login.defs\":\n\n ENCRYPT_METHOD SHA512", + "__new": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/login.defs\":\n\nENCRYPT_METHOD SHA512" + } } }, "V-71923": { + "describe__deleted": " describe command(\"cat /etc/libuser.conf | grep -i sha512\") do\n its('stdout.strip') { should match %r(^crypt_style = sha512$) }\n end", "tags": { - "check_id": "C-72155r3_chk", - "severity": "medium", - "gid": "V-71923", - "rid": "SV-86547r3_rule", - "stig_id": "RHEL-07-010220", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-78275r1_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id__added": "C-72155r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71923" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.", - "desc": "[\"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat user and group account administration utilities are configured to store\nonly encrypted representations of passwords.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." + }, + "desc": { + "__old": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "__new": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text." + }, "descs": { - "check": "Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is \"SHA512\".\n\nCheck that the system is configured to create \"SHA512\" hashed passwords with the following command:\n\n# grep -i sha512 /etc/libuser.conf \n\ncrypt_style = sha512\n\nIf the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not exist, this is a finding.", - "fix": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/libuser.conf\" in the [defaults] section: \n\ncrypt_style = sha512" + "default__deleted": "Passwords need to be protected at all times, and encryption is the\nstandard method for protecting passwords. If passwords are not encrypted, they\ncan be plainly read (i.e., clear text) and easily compromised. Passwords\nencrypted with a weak algorithm are no more protected than if they are kept in\nplain text.", + "rationale__deleted": "", + "check": { + "__old": "Verify the user and group account administration utilities are configured\nto store only encrypted representations of passwords. The strength of\nencryption that must be used to hash passwords for all accounts is \"SHA512\".\n\n Check that the system is configured to create \"SHA512\" hashed passwords\nwith the following command:\n\n # grep -i sha512 /etc/libuser.conf\n\n crypt_style = sha512\n\n If the \"crypt_style\" variable is not set to \"sha512\", is not in the\ndefaults section, is commented out, or does not exist, this is a finding.", + "__new": "Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is \"SHA512\".\n\nCheck that the system is configured to create \"SHA512\" hashed passwords with the following command:\n\n# grep -i sha512 /etc/libuser.conf \n\ncrypt_style = sha512\n\nIf the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, is commented out, or does not exist, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to store only SHA512 encrypted\nrepresentations of passwords.\n\n Add or update the following line in \"/etc/libuser.conf\" in the [defaults]\nsection:\n\n crypt_style = sha512", + "__new": "Configure the operating system to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in \"/etc/libuser.conf\" in the [defaults] section: \n\ncrypt_style = sha512" + } } }, "V-71925": { + "describe__deleted": " describe login_defs do\n its('PASS_MIN_DAYS.to_i') { should cmp >= 1 }\n end", "tags": { - "check_id": "C-72157r1_chk", - "severity": "medium", - "gid": "V-71925", - "rid": "SV-86549r2_rule", - "stig_id": "RHEL-07-010230", - "gtitle": "SRG-OS-000075-GPOS-00043", - "fix_id": "F-78277r1_fix", - "cci": [ - "CCI-000198" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72157r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71925" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.", - "desc": "[\"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat passwords for new users are restricted to a 24 hours/1 day minimum\nlifetime.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime." + }, + "desc": { + "__old": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "__new": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse." + }, "descs": { - "check": "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.\n\nCheck for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command: \n\n# grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MIN_DAYS 1" + "default__deleted": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enforces 24 hours/1 day as the minimum password\nlifetime for new user accounts.\n\n Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n # grep -i pass_min_days /etc/login.defs\n PASS_MIN_DAYS 1\n\n If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is\ncommented out, this is a finding.", + "__new": "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.\n\nCheck for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command: \n\n# grep -i pass_min_days /etc/login.defs\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce 24 hours/1 day as the minimum\npassword lifetime.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MIN_DAYS 1", + "__new": "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MIN_DAYS 1" + } } }, "V-71927": { + "describe__deleted": " shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n describe shadow.users(user) do\n its('min_days.first.to_i') { should cmp >= 1 }\n end\n end", "tags": { - "check_id": "C-72159r2_chk", - "severity": "medium", - "gid": "V-71927", - "rid": "SV-86551r2_rule", - "stig_id": "RHEL-07-010240", - "gtitle": "SRG-OS-000075-GPOS-00043", - "fix_id": "F-78279r1_fix", - "cci": [ - "CCI-000198" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72159r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71927" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.", - "desc": "[\"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat passwords are restricted to a 24 hours/1 day minimum lifetime.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime." + }, + "desc": { + "__old": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "__new": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse." + }, "descs": { - "check": "Check whether the minimum time period between password changes for each user account is one day or greater.\n\n# awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n\n# chage -m 1 [user]" + "default__deleted": "Enforcing a minimum password lifetime helps to prevent repeated\npassword changes to defeat the password reuse or history enforcement\nrequirement. If users are allowed to immediately and continually change their\npassword, the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.", + "rationale__deleted": "", + "check": { + "__old": "Check whether the minimum time period between password changes for each\nuser account is one day or greater.\n\n # awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", + "__new": "Check whether the minimum time period between password changes for each user account is one day or greater.\n\n# awk -F: '$4 < 1 {print $1 \" \" $4}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding." + }, + "fix": { + "__old": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum\npassword lifetime:\n\n # chage -m 1 [user]", + "__new": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:\n\n# chage -m 1 [user]" + } } }, "V-71929": { + "describe__deleted": " unless command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n impact 0.0\n describe \"The system is not using password for authentication\" do\n skip \"The system is not using password for authentication, this control is Not Applicable.\"\n end\n else\n describe login_defs do\n its('PASS_MAX_DAYS.to_i') { should cmp <= 60 }\n end\n end", "tags": { - "check_id": "C-72161r2_chk", - "severity": "medium", - "gid": "V-71929", - "rid": "SV-86553r2_rule", - "stig_id": "RHEL-07-010250", - "gtitle": "SRG-OS-000076-GPOS-00044", - "fix_id": "F-78281r1_fix", - "cci": [ - "CCI-000199" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72161r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71929" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.", - "desc": "[\"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat passwords for new users are restricted to a 60-day maximum lifetime.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime." + }, + "desc": { + "__old": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the operating system\ndoes not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", + "__new": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised." + }, "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n\nCheck for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MAX_DAYS 60" + "default__deleted": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the operating system\ndoes not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "If passwords are not being used for authentication, this is Not Applicable.\n\n Verify the operating system enforces a 60-day maximum password lifetime\nrestriction for new user accounts.\n\n Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the\nfollowing command:\n\n # grep -i pass_max_days /etc/login.defs\n PASS_MAX_DAYS 60\n\n If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented\nout, this is a finding.", + "__new": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.\n\nCheck for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the following command:\n\n# grep -i pass_max_days /etc/login.defs\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce a 60-day maximum password\nlifetime restriction.\n\n Add the following line in \"/etc/login.defs\" (or modify the line to have\nthe required value):\n\n PASS_MAX_DAYS 60", + "__new": "Configure the operating system to enforce a 60-day maximum password lifetime restriction.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MAX_DAYS 60" + } } }, "V-71931": { + "describe__deleted": " shadow.users.each do |user|\n # filtering on non-system accounts (uid >= 1000)\n next unless user(user).uid >= 1000\n describe shadow.users(user) do\n its('max_days.first.to_i') { should cmp <= 60 }\n end\n end", "tags": { - "check_id": "C-72163r3_chk", - "severity": "medium", - "gid": "V-71931", - "rid": "SV-86555r3_rule", - "stig_id": "RHEL-07-010260", - "gtitle": "SRG-OS-000076-GPOS-00044", - "fix_id": "F-78283r1_fix", - "cci": [ - "CCI-000199" - ], - "nist": [ - "IA-5 (1) (d)" - ] + "check_id__added": "C-72163r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71931" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.", - "desc": "[\"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat existing passwords are restricted to a 60-day maximum lifetime.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." + }, + "desc": { + "__old": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the operating system\ndoes not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", + "__new": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised." + }, "descs": { - "check": "Check whether the maximum time period for existing passwords is restricted to 60 days.\n\n# awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.", - "fix": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\n# chage -M 60 [user]" + "default__deleted": "Any password, no matter how complex, can eventually be cracked.\nTherefore, passwords need to be changed periodically. If the operating system\ndoes not limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", + "rationale__deleted": "", + "check": { + "__old": "Check whether the maximum time period for existing passwords is restricted\nto 60 days.\n\n # awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\n If any results are returned that are not associated with a system account,\nthis is a finding.", + "__new": "Check whether the maximum time period for existing passwords is restricted to 60 days.\n\n# awk -F: '$5 > 60 {print $1 \" \" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding." + }, + "fix": { + "__old": "Configure non-compliant accounts to enforce a 60-day maximum password\nlifetime restriction.\n\n # chage -M 60 [user]", + "__new": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\n# chage -M 60 [user]" + } } }, "V-71933": { + "describe__deleted": " min_reuse_generations = input('min_reuse_generations')\n\n describe pam(\"/etc/pam.d/system-auth\") do\n its('lines') { should match_pam_rule('password (required|requisite|sufficient) pam_(unix|pwhistory).so').any_with_integer_arg('remember', '>=', min_reuse_generations) }\n end", "tags": { - "check_id": "C-72165r2_chk", - "severity": "medium", - "gid": "V-71933", - "rid": "SV-86557r3_rule", - "stig_id": "RHEL-07-010270", - "gtitle": "SRG-OS-000077-GPOS-00045", - "fix_id": "F-78285r3_fix", - "cci": [ - "CCI-000200" - ], - "nist": [ - "IA-5 (1) (e)" - ] + "check_id__added": "C-72165r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71933" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.", - "desc": "[\"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat passwords are prohibited from reuse for a minimum of five generations.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations." + }, + "desc": { + "__old": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed per policy requirements.", + "__new": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements." + }, "descs": { - "check": "Verify the operating system prohibits password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the following command:\n\n# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", - "fix": "Configure the operating system to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n \nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + "default__deleted": "Password complexity, or strength, is a measure of the effectiveness of\na password in resisting attempts at guessing and brute-force attacks. If the\ninformation system or application allows the user to consecutively reuse their\npassword when that password has exceeded its defined lifetime, the end result\nis a password that is not changed per policy requirements.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prohibits password reuse for a minimum of five\ngenerations.\n\n Check for the value of the \"remember\" argument in\n\"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the following\ncommand:\n\n # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\n If the line containing the \"pam_pwhistory.so\" line does not have the\n\"remember\" module argument set, is commented out, or the value of the\n\"remember\" module argument is set to less than \"5\", this is a finding.", + "__new": "Verify the operating system prohibits password reuse for a minimum of five generations.\n\nCheck for the value of the \"remember\" argument in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" with the following command:\n\n# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing the \"pam_pwhistory.so\" line does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prohibit password reuse for a minimum of\nfive generations.\n\n Add the following line in \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\n password requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\n Note: Manual changes to the listed files may be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used to update\nthe configurations listed in this requirement.", + "__new": "Configure the operating system to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n \nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + } } }, "V-71935": { + "describe__deleted": " min_len = input('min_len')\n\n describe parse_config_file(\"/etc/security/pwquality.conf\") do\n its('minlen.to_i') { should cmp >= min_len }\n end", "tags": { - "check_id": "C-72167r1_chk", - "severity": "medium", - "gid": "V-71935", - "rid": "SV-86559r2_rule", - "stig_id": "RHEL-07-010280", - "gtitle": "SRG-OS-000078-GPOS-00046", - "fix_id": "F-78287r1_fix", - "cci": [ - "CCI-000205" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-72167r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71935" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.", - "desc": "[\"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\\n\\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat passwords are a minimum of 15 characters in length.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." + }, + "desc": { + "__old": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", + "__new": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password." + }, "descs": { - "check": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding.", - "fix": "Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15" + "default__deleted": "The shorter the password, the lower the number of possible\ncombinations that need to be tested before the password is compromised.\n\n Password complexity, or strength, is a measure of the effectiveness of a\npassword in resisting attempts at guessing and brute-force attacks. Password\nlength is one factor of several that helps to determine strength and how long\nit takes to crack a password. Use of more characters in a password helps to\nexponentially increase the time and/or resources required to compromise the\npassword.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enforces a minimum 15-character password\nlength. The \"minlen\" option sets the minimum number of characters in a new\npassword.\n\n Check for the value of the \"minlen\" option in\n\"/etc/security/pwquality.conf\" with the following command:\n\n # grep minlen /etc/security/pwquality.conf\n minlen = 15\n\n If the command does not return a \"minlen\" value of 15 or greater, this is\na finding.", + "__new": "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password.\n\nCheck for the value of the \"minlen\" option in \"/etc/security/pwquality.conf\" with the following command:\n\n# grep minlen /etc/security/pwquality.conf\nminlen = 15\n\nIf the command does not return a \"minlen\" value of 15 or greater, this is a finding." + }, + "fix": { + "__old": "Configure operating system to enforce a minimum 15-character password\nlength.\n\n Add the following line to \"/etc/security/pwquality.conf\" (or modify the\nline to have the required value):\n\n minlen = 15", + "__new": "Configure operating system to enforce a minimum 15-character password length.\n\nAdd the following line to \"/etc/security/pwquality.conf\" (or modify the line to have the required value):\n\nminlen = 15" + } } }, "V-71937": { + "describe__deleted": " # Fetch all files under /etc/pam.d excluding '*-ac' files\n # but including symlinks\n pam_file_list = command('find /etc/pam.d ! -name \\'*-ac\\' -a \\( -type f -o -type l \\)').stdout.strip.split\n\n pam_file_list.each do |pam_file|\n describe pam(pam_file) do\n its('lines') { should match_pam_rule('.* .* pam_unix.so').all_without_args('nullok') }\n end\n end", "tags": { - "check_id": "C-72169r2_chk", - "severity": "high", - "gid": "V-71937", - "rid": "SV-86561r3_rule", - "stig_id": "RHEL-07-010290", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78289r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72169r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71937" - ], - "title": "The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have accounts\nconfigured with blank or null passwords.", + "__new": "The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." + }, + "desc": { + "__old": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "__new": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments." + }, "descs": { - "check": "To verify that null passwords cannot be used, run the following command: \n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding.", - "fix": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + "default__deleted": "If an account has an empty password, anyone could log on and run\ncommands with the privileges of that account. Accounts with empty passwords\nshould never be used in operational environments.", + "rationale__deleted": "", + "check": { + "__old": "To verify that null passwords cannot be used, run the following command:\n\n # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n If this produces any output, it may be possible to log on with accounts\nwith empty passwords.\n\n If null passwords can be used, this is a finding.", + "__new": "To verify that null passwords cannot be used, run the following command: \n\n# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding." + }, + "fix": { + "__old": "If an account is configured for password authentication but does not have\nan assigned password, it may be possible to log on to the account without\nauthenticating.\n\n Remove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\"\nand \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\n Note: Manual changes to the listed files may be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used to update\nthe configurations listed in this requirement.", + "__new": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords.\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + } } }, "V-71939": { + "describe__deleted": " describe sshd_config do\n its('PermitEmptyPasswords') { should eq 'no' }\n end", "tags": { - "check_id": "C-72171r2_chk", - "severity": "high", - "gid": "V-71939", - "rid": "SV-86563r3_rule", - "stig_id": "RHEL-07-010300", - "gtitle": "SRG-OS-000106-GPOS-00053", - "fix_id": "F-78291r2_fix", - "cci": [ - "CCI-000766" - ], - "nist": [ - "IA-2 (2)" - ] + "check_id__added": "C-72171r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71939" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not allow authentication using an empty password.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password." + }, + "desc": { + "__old": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "__new": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere." + }, "descs": { - "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\nPermitEmptyPasswords no\n\nIf no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n\nIf the required value is not set, this is a finding.", - "fix": "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitEmptyPasswords no\n\nThe SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords." + "default__deleted": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "rationale__deleted": "", + "check": { + "__old": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set,\nrun the following command:\n\n # grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n PermitEmptyPasswords no\n\n If no line, a commented line, or a line indicating the value \"no\" is\nreturned, the required value is set.\n\n If the required value is not set, this is a finding.", + "__new": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command:\n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\nPermitEmptyPasswords no\n\nIf no line, a commented line, or a line indicating the value \"no\" is returned, the required value is set.\n\nIf the required value is not set, this is a finding." + }, + "fix": { + "__old": "To explicitly disallow remote logon from accounts with empty passwords, add\nor correct the following line in \"/etc/ssh/sshd_config\":\n\n PermitEmptyPasswords no\n\n The SSH service must be restarted for changes to take effect. Any accounts\nwith empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.", + "__new": "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\":\n\nPermitEmptyPasswords no\n\nThe SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords." + } } }, "V-71941": { + "describe__deleted": " days_of_inactivity = input('days_of_inactivity')\n\n unless command(\"grep 'pam_unix.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'optional'\").stdout.empty? && command(\"grep 'pam_permit.so' /etc/pam.d/system-auth | grep 'auth ' | grep 'required'\").stdout.empty?\n impact 0.0\n describe \"The system is not using password for authentication\" do\n skip \"The system is not using password for authentication, this control is Not Applicable.\"\n end\n else\n describe parse_config_file(\"/etc/default/useradd\") do\n its('INACTIVE') { should cmp >= 0 }\n its('INACTIVE') { should cmp <= days_of_inactivity }\n end\n end\n", "tags": { - "check_id": "C-72173r2_chk", - "severity": "medium", - "gid": "V-71941", - "rid": "SV-86565r2_rule", - "stig_id": "RHEL-07-010310", - "gtitle": "SRG-OS-000118-GPOS-00060", - "fix_id": "F-78293r1_fix", - "cci": [ - "CCI-000795" - ], - "nist": [ - "IA-4 e" - ] + "check_id__added": "C-72173r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71941" - ], - "title": "The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.", - "desc": "[\"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\\n\\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must disable account\nidentifiers (individuals, groups, roles, and devices) if the password expires.", + "__new": "The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." + }, + "desc": { + "__old": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Operating systems need to track periods of inactivity and disable\napplication identifiers after zero days of inactivity.", + "__new": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity." + }, "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:\n\n# grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the value is not set to \"0\", is commented out, or is not defined, this is a finding.", - "fix": "Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.\n\nAdd the following line to \"/etc/default/useradd\" (or modify the line to have the required value):\n\nINACTIVE=0" + "default__deleted": "Inactive identifiers pose a risk to systems and applications because\nattackers may exploit an inactive identifier and potentially obtain undetected\naccess to the system. Owners of inactive accounts will not notice if\nunauthorized access to their user account has been obtained.\n\n Operating systems need to track periods of inactivity and disable\napplication identifiers after zero days of inactivity.", + "rationale__deleted": "", + "check": { + "__old": "If passwords are not being used for authentication, this is Not Applicable.\n\n Verify the operating system disables account identifiers (individuals,\ngroups, roles, and devices) after the password expires with the following\ncommand:\n\n # grep -i inactive /etc/default/useradd\n INACTIVE=0\n\n If the value is not set to \"0\", is commented out, or is not defined, this\nis a finding.", + "__new": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:\n\n# grep -i inactive /etc/default/useradd\nINACTIVE=0\n\nIf the value is not set to \"0\", is commented out, or is not defined, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable account identifiers (individuals,\ngroups, roles, and devices) after the password expires.\n\n Add the following line to \"/etc/default/useradd\" (or modify the line to\nhave the required value):\n\n INACTIVE=0", + "__new": "Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.\n\nAdd the following line to \"/etc/default/useradd\" (or modify the line to have the required value):\n\nINACTIVE=0" + } } }, "V-71943": { + "describe__deleted": " describe pam('/etc/pam.d/password-auth') do\n its('lines') {\n should match_pam_rules(input('required_rules')).exactly.or \\\n match_pam_rules(input('alternate_rules')).exactly\n }\n its('lines') { should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('deny', '<=', input('unsuccessful_attempts')) }\n its('lines') { should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('fail_interval', '<=', input('fail_interval')) }\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=', 604800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=', input('lockout_time')))\n }\n end\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') {\n should match_pam_rules(input('required_rules')).exactly.or \\\n match_pam_rules(input('alternate_rules')).exactly\n }\n its('lines') { should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('deny', '<=', input('unsuccessful_attempts')) }\n its('lines') { should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('fail_interval', '<=', input('fail_interval')) }\n its('lines') {\n should match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_args('unlock_time=(0|never)').or \\\n (match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '<=', 604800).and \\\n match_pam_rule('auth [default=die]|required pam_faillock.so').all_with_integer_arg('unlock_time', '>=', input('lockout_time')))\n }\n end", "tags": { - "check_id": "C-72175r5_chk", - "severity": "medium", - "gid": "V-71943", - "rid": "SV-86567r5_rule", - "stig_id": "RHEL-07-010320", - "gtitle": "SRG-OS-000329-GPOS-00128", - "fix_id": "F-78295r5_fix", - "cci": [ - "CCI-000044", - "CCI-002236", - "CCI-002237", - "CCI-002238" - ], - "nist": [ - "AC-7 a", - "AC-7 b", - "AC-7 b", - "AC-7 b" - ] + "check_id__added": "C-72175r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71943" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\\n\\nSatisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\nlock accounts for a minimum of 15 minutes after three unsuccessful logon\nattempts within a 15-minute timeframe.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe." + }, + "desc": { + "__old": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", + "__new": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\n" + }, "descs": { - "check": "Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n# grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \n\nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.", - "fix": "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + "default__deleted": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as\nbrute-forcing, is reduced. Limits are imposed by locking the account.", + "rationale__deleted": "", + "check": { + "__old": "Check that the system locks an account for a minimum of 15 minutes after\nthree unsuccessful logon attempts within a period of 15 minutes with the\nfollowing command:\n\n # grep pam_faillock.so /etc/pam.d/password-auth\n\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n If the \"deny\" parameter is set to \"0\" or a value less than \"3\" on\nboth \"auth\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with\nthe \"pam_faillock.so\" module, or is missing from these lines, this is a\nfinding.\n\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value\nless than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module,\nor is missing from these lines, this is a finding.\n\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set\nto a value less than \"900\" on both \"auth\" lines with the\n\"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.\n\n # grep pam_faillock.so /etc/pam.d/system-auth\n\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n If the \"deny\" parameter is set to \"0\" or a value less than \"3\" on\nboth \"auth\" lines with the \"pam_faillock.so\" module, or is missing from\nthese lines, this is a finding.\n\n If the \"even_deny_root\" parameter is not set on both \"auth\" lines with\nthe \"pam_faillock.so\" module, or is missing from these lines, this is a\nfinding.\n\n If the \"fail_interval\" parameter is set to \"0\" or is set to a value\nless than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module,\nor is missing from these lines, this is a finding.\n\n If the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set\nto a value less than \"900\" on both \"auth\" lines with the\n\"pam_faillock.so\" module or is missing from these lines, this is a finding.\n\n Note: The maximum configurable value for \"unlock_time\" is \"604800\".\n If any line referencing the \"pam_faillock.so\" module is commented out,\nthis is a finding.", + "__new": "Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\n# grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \n\nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nIf the \"deny\" parameter is set to \"0\" or a value less than \"3\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"even_deny_root\" parameter is not set on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"fail_interval\" parameter is set to \"0\" or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module, or is missing from these lines, this is a finding.\n\nIf the \"unlock_time\" parameter is not set to \"0\", \"never\", or is set to a value less than \"900\" on both \"auth\" lines with the \"pam_faillock.so\" module or is missing from these lines, this is a finding.\n\nNote: The maximum configurable value for \"unlock_time\" is \"604800\". \nIf any line referencing the \"pam_faillock.so\" module is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to lock an account for the maximum period\nwhen three unsuccessful logon attempts in 15 minutes are made.\n\n Modify the first three lines of the auth section and the first line of the\naccount section of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth sufficient pam_unix.so try_first_pass\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n Note: Manual changes to the listed files may be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used to update\nthe configurations listed in this requirement.", + "__new": "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so \n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + } } }, "V-71945": { + "describe__deleted": " required_lines = [\n 'auth required pam_faillock.so even_deny_root',\n 'auth sufficient pam_unix.so try_first_pass',\n 'auth [default=die] pam_faillock.so even_deny_root'\n ]\n\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rules(required_lines) }\n its('lines') { should match_pam_rule('auth .* pam_faillock.so (preauth|authfail)').all_with_args('even_deny_root') }\n end\n\n describe pam('/etc/pam.d/system-auth') do\n its('lines') { should match_pam_rules(required_lines) }\n its('lines') { should match_pam_rule('auth .* pam_faillock.so (preauth|authfail)').all_with_args('even_deny_root') }\n end", "tags": { - "check_id": "C-72177r4_chk", - "severity": "medium", - "gid": "V-71945", - "rid": "SV-86569r4_rule", - "stig_id": "RHEL-07-010330", - "gtitle": "SRG-OS-000329-GPOS-00128", - "fix_id": "F-78297r3_fix", - "cci": [ - "CCI-002238" - ], - "nist": [ - "AC-7 b" - ] + "check_id__added": "C-72177r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71945" - ], - "title": "The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\\n\\nSatisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must lock the associated\naccount after three unsuccessful root logon attempts are made within a\n15-minute period.", + "__new": "The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." + }, + "desc": { + "__old": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as brute\nforcing, is reduced. Limits are imposed by locking the account.", + "__new": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\n\n" + }, "descs": { - "check": "Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\n# grep pam_faillock.so /etc/pam.d/password-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding.", - "fix": "Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + "default__deleted": "By limiting the number of failed logon attempts, the risk of\nunauthorized system access via user password guessing, otherwise known as brute\nforcing, is reduced. Limits are imposed by locking the account.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system automatically locks the root account until it\nis released by an administrator when three unsuccessful logon attempts in 15\nminutes are made.\n\n # grep pam_faillock.so /etc/pam.d/password-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n If the \"even_deny_root\" setting is not defined on both lines with the\n\"pam_faillock.so\" module, is commented out, or is missing from a line, this\nis a finding.\n\n # grep pam_faillock.so /etc/pam.d/system-auth\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n If the \"even_deny_root\" setting is not defined on both lines with the\n\"pam_faillock.so\" module, is commented out, or is missing from a line, this\nis a finding.", + "__new": "Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\n# grep pam_faillock.so /etc/pam.d/password-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding.\n\n# grep pam_faillock.so /etc/pam.d/system-auth\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 \nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nIf the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module, is commented out, or is missing from a line, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to lock automatically the root account until\nthe locked account is released by an administrator when three unsuccessful\nlogon attempts in 15 minutes are made.\n\n Modify the first three lines of the auth section and the first line of the\naccount section of the \"/etc/pam.d/system-auth\" and\n\"/etc/pam.d/password-auth\" files to match the following lines:\n\n auth required pam_faillock.so preauth silent audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n auth sufficient pam_unix.so try_first_pass\n auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root\nfail_interval=900 unlock_time=900\n account required pam_faillock.so\n\n Note: Manual changes to the listed files may be overwritten by the\n\"authconfig\" program. The \"authconfig\" program should not be used to update\nthe configurations listed in this requirement.", + "__new": "Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.\n\nModify the first three lines of the auth section and the first line of the account section of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900\nauth sufficient pam_unix.so try_first_pass\nauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900\naccount required pam_faillock.so\n\nNote: Manual changes to the listed files may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used to update the configurations listed in this requirement." + } } }, "V-71947": { + "describe__deleted": " processed = []\n to_process = ['/etc/sudoers', '/etc/sudoers.d']\n\n while !to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1\").\n stdout.strip.split(\"\\n\").\n select { |f| file(f).file? }\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '#include\\\\s+' #{in_process} | sed 's/.*#include[[:space:]]*//g'\").\n stdout.strip.split(\"\\n\").\n map { |f| f.start_with?('/') ? f : File.join(File.dirname(in_process), f) }.\n select { |f| file(f).exist? }\n )\n to_process.concat(\n command(\"grep -E '#includedir\\\\s+' #{in_process} | sed 's/.*#includedir[[:space:]]*//g'\").\n stdout.strip.split(\"\\n\").\n map { |f| f.start_with?('/') ? f : File.join(File.dirname(in_process), f) }.\n select { |f| file(f).exist? }\n )\n end\n end\n\n sudoers = processed.select { |f| file(f).file? }\n\n sudoers.each do |sudoer|\n sudo_content = file(sudoer).content.strip.split(\"\\n\")\n nopasswd_lines = sudo_content.select { |l| l.match?(/^[^#].*NOPASSWD/) }\n describe \"#{sudoer} rules containing NOPASSWD\" do\n subject { nopasswd_lines }\n it { should be_empty }\n end\n end", "tags": { - "check_id": "C-72179r3_chk", - "severity": "medium", - "gid": "V-71947", - "rid": "SV-86571r3_rule", - "stig_id": "RHEL-07-010340", - "gtitle": "SRG-OS-000373-GPOS-00156", - "fix_id": "F-78299r2_fix", - "cci": [ - "CCI-002038" - ], - "nist": [ - "IA-11" - ] + "check_id__added": "C-72179r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71947" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.", - "desc": "[\"Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \\n\\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.\\n\\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat users must provide a password for privilege escalation.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation." + }, + "desc": { + "__old": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user re-authenticate.", + "__new": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.\n\n" + }, "descs": { - "check": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"NOPASSWD\" tag, this is a finding.", - "fix": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n# visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file. \n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n# grep -i nopasswd /etc/sudoers.d/*\n\nRemove any occurrences of \"NOPASSWD\" tags in the file." + "default__deleted": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user re-authenticate.", + "rationale__deleted": "", + "check": { + "__old": "If passwords are not being used for authentication, this is Not Applicable.\n\n Verify the operating system requires users to supply a password for\nprivilege escalation.\n\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\"\nfiles with the following command:\n\n # grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\n If any uncommented line is found with a \"NOPASSWD\" tag, this is a finding.", + "__new": "If passwords are not being used for authentication, this is Not Applicable.\n\nVerify the operating system requires users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"NOPASSWD\" tag, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require users to supply a password for\nprivilege escalation.\n\n Check the configuration of the \"/etc/sudoers\" file with the following\ncommand:\n # visudo\n\n Remove any occurrences of \"NOPASSWD\" tags in the file.\n\n Check the configuration of the /etc/sudoers.d/* files with the following\ncommand:\n # grep -i nopasswd /etc/sudoers.d/*\n\n Remove any occurrences of \"NOPASSWD\" tags in the file.", + "__new": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n# visudo\n\nRemove any occurrences of \"NOPASSWD\" tags in the file. \n\nCheck the configuration of the /etc/sudoers.d/* files with the following command:\n# grep -i nopasswd /etc/sudoers.d/*\n\nRemove any occurrences of \"NOPASSWD\" tags in the file." + } } }, "V-71949": { + "describe__deleted": " describe command(\"grep -ir authenticate /etc/sudoers /etc/sudoers.d/*\") do\n its('stdout') { should_not match %r{!authenticate} }\n end", "tags": { - "check_id": "C-72181r5_chk", - "severity": "medium", - "gid": "V-71949", - "rid": "SV-86573r3_rule", - "stig_id": "RHEL-07-010350", - "gtitle": "SRG-OS-000373-GPOS-00156", - "fix_id": "F-78301r3_fix", - "cci": [ - "CCI-002038" - ], - "nist": [ - "IA-11" - ] + "check_id__added": "C-72181r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71949" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.", - "desc": "[\"Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \\n\\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\\n\\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat users must re-authenticate for privilege escalation.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation." + }, + "desc": { + "__old": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "__new": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.\n\n" + }, "descs": { - "check": "Verify the operating system requires users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"!authenticate\" tag, this is a finding.", - "fix": "Configure the operating system to require users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n\n# visudo\nRemove any occurrences of \"!authenticate\" tags in the file.\n\nCheck the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\nRemove any occurrences of \"!authenticate\" tags in the file(s)." + "default__deleted": "Without re-authentication, users may access resources or perform tasks\nfor which they do not have authorization.\n\n When operating systems provide the capability to escalate a functional\ncapability, it is critical the user reauthenticate.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system requires users to reauthenticate for privilege\nescalation.\n\n Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\"\nfiles with the following command:\n\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n\n If any uncommented line is found with a \"!authenticate\" tag, this is a\nfinding.", + "__new": "Verify the operating system requires users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n\nIf any uncommented line is found with a \"!authenticate\" tag, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require users to reauthenticate for\nprivilege escalation.\n\n Check the configuration of the \"/etc/sudoers\" file with the following\ncommand:\n\n # visudo\n Remove any occurrences of \"!authenticate\" tags in the file.\n\n Check the configuration of the \"/etc/sudoers.d/*\" files with the\nfollowing command:\n\n # grep -i authenticate /etc/sudoers /etc/sudoers.d/*\n Remove any occurrences of \"!authenticate\" tags in the file(s).", + "__new": "Configure the operating system to require users to reauthenticate for privilege escalation.\n\nCheck the configuration of the \"/etc/sudoers\" file with the following command:\n\n# visudo\nRemove any occurrences of \"!authenticate\" tags in the file.\n\nCheck the configuration of the \"/etc/sudoers.d/*\" files with the following command:\n\n# grep -i authenticate /etc/sudoers /etc/sudoers.d/*\nRemove any occurrences of \"!authenticate\" tags in the file(s)." + } } }, "V-71951": { + "describe__deleted": " describe login_defs do\n its('FAIL_DELAY.to_i') { should cmp >= 4 }\n end", "tags": { - "check_id": "C-72183r2_chk", - "severity": "medium", - "gid": "V-71951", - "rid": "SV-86575r2_rule", - "stig_id": "RHEL-07-010430", - "gtitle": "SRG-OS-000480-GPOS-00226", - "fix_id": "F-78303r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72183r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71951" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.", - "desc": "[\"Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\\n\\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the delay between logon prompts following a failed console logon attempt\nis at least four seconds.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds." + }, + "desc": { + "__old": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "__new": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections." + }, "descs": { - "check": "Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.\n\nCheck the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n\n# grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.\n\nModify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n\nFAIL_DELAY 4" + "default__deleted": "Configuring the operating system to implement organization-wide\nsecurity implementation guides and security checklists verifies compliance with\nfederal standards and establishes a common security baseline across DoD that\nreflects the most restrictive security posture consistent with operational\nrequirements.\n\n Configuration settings are the set of parameters that can be changed in\nhardware, software, or firmware components of the system that affect the\nsecurity posture and/or functionality of the system. Security-related\nparameters are those parameters impacting the security state of the system,\nincluding the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example, registry\nsettings; account, file, and directory permission settings; and settings for\nfunctions, ports, protocols, services, and remote connections.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enforces a delay of at least four seconds\nbetween console logon prompts following a failed logon attempt.\n\n Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\"\nfile with the following command:\n\n # grep -i fail_delay /etc/login.defs\n FAIL_DELAY 4\n\n If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line\nis commented out, this is a finding.", + "__new": "Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.\n\nCheck the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file with the following command:\n\n# grep -i fail_delay /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\" or greater, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enforce a delay of at least four seconds\nbetween logon prompts following a failed console logon attempt.\n\n Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to\n\"4\" or greater:\n\n FAIL_DELAY 4", + "__new": "Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.\n\nModify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to \"4\" or greater:\n\nFAIL_DELAY 4" + } } }, "V-71953": { + "describe__deleted": " custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n if ((f = file(custom_conf)).exist?)\n describe ini(custom_conf) do\n its('daemon.AutomaticLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe \"The system does not have GDM installed\" do\n skip \"The system does not have GDM installed, this requirement is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72185r1_chk", - "severity": "high", - "gid": "V-71953", - "rid": "SV-86577r2_rule", - "stig_id": "RHEL-07-010440", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78305r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72185r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71953" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow an\nunattended or automatic logon to the system via a graphical user interface.", + "__new": "The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface." + }, + "desc": { + "__old": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "__new": "Failure to restrict system access to authenticated users negatively impacts operating system security." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i automaticloginenable /etc/gdm/custom.conf\nAutomaticLoginEnable=false\n\nIf the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nAutomaticLoginEnable=false" + "default__deleted": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system does not allow an unattended or automatic logon\nto the system via a graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Check for the value of the \"AutomaticLoginEnable\" in the\n\"/etc/gdm/custom.conf\" file with the following command:\n\n # grep -i automaticloginenable /etc/gdm/custom.conf\n AutomaticLoginEnable=false\n\n If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a\nfinding.", + "__new": "Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"AutomaticLoginEnable\" in the \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i automaticloginenable /etc/gdm/custom.conf\nAutomaticLoginEnable=false\n\nIf the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to not allow an unattended or automatic\nlogon to the system via a graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Add or edit the line for the \"AutomaticLoginEnable\" parameter in the\n[daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n AutomaticLoginEnable=false", + "__new": "Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"AutomaticLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nAutomaticLoginEnable=false" + } } }, "V-71955": { + "describe__deleted": " custom_conf = '/etc/gdm/custom.conf'\n\n if package('gdm').installed?\n impact 0.7\n if ((f = file(custom_conf)).exist?)\n describe ini(custom_conf) do\n its('daemon.TimedLoginEnable') { cmp false }\n end\n else\n describe f do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe \"The system does not have GDM installed\" do\n skip \"The system does not have GDM installed, this requirement is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72187r2_chk", - "severity": "high", - "gid": "V-71955", - "rid": "SV-86579r3_rule", - "stig_id": "RHEL-07-010450", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78307r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72187r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71955" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow an\nunrestricted logon to the system.", + "__new": "The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system." + }, + "desc": { + "__old": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "__new": "Failure to restrict system access to authenticated users negatively impacts operating system security." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i timedloginenable /etc/gdm/custom.conf\nTimedLoginEnable=false\n\nIf the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding.", - "fix": "Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nTimedLoginEnable=false" + "default__deleted": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system does not allow an unrestricted logon to the\nsystem via a graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Check for the value of the \"TimedLoginEnable\" parameter in\n\"/etc/gdm/custom.conf\" file with the following command:\n\n # grep -i timedloginenable /etc/gdm/custom.conf\n TimedLoginEnable=false\n\n If the value of \"TimedLoginEnable\" is not set to \"false\", this is a\nfinding.", + "__new": "Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nCheck for the value of the \"TimedLoginEnable\" parameter in \"/etc/gdm/custom.conf\" file with the following command:\n\n# grep -i timedloginenable /etc/gdm/custom.conf\nTimedLoginEnable=false\n\nIf the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to not allow an unrestricted account to log\non to the system via a graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Add or edit the line for the \"TimedLoginEnable\" parameter in the [daemon]\nsection of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n [daemon]\n TimedLoginEnable=false", + "__new": "Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nAdd or edit the line for the \"TimedLoginEnable\" parameter in the [daemon] section of the \"/etc/gdm/custom.conf\" file to \"false\":\n\n[daemon]\nTimedLoginEnable=false" + } } }, "V-71957": { + "describe__deleted": " describe sshd_config do\n its('PermitUserEnvironment') { should eq 'no' }\n end", "tags": { - "check_id": "C-72189r1_chk", - "severity": "medium", - "gid": "V-71957", - "rid": "SV-86581r3_rule", - "stig_id": "RHEL-07-010460", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78309r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72189r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71957" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow users to\noverride SSH environment variables.", + "__new": "The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables." + }, + "desc": { + "__old": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "__new": "Failure to restrict system access to authenticated users negatively impacts operating system security." + }, "descs": { - "check": "Verify the operating system does not allow users to override environment variables to the SSH daemon.\n\nCheck for the value of the \"PermitUserEnvironment\" keyword with the following command:\n\n# grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\nIf the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow users to override environment variables to the SSH daemon.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the value to \"no\":\n\nPermitUserEnvironment no\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system does not allow users to override environment\nvariables to the SSH daemon.\n\n Check for the value of the \"PermitUserEnvironment\" keyword with the\nfollowing command:\n\n # grep -i permituserenvironment /etc/ssh/sshd_config\n PermitUserEnvironment no\n\n If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing,\nor is commented out, this is a finding.", + "__new": "Verify the operating system does not allow users to override environment variables to the SSH daemon.\n\nCheck for the value of the \"PermitUserEnvironment\" keyword with the following command:\n\n# grep -i permituserenvironment /etc/ssh/sshd_config\nPermitUserEnvironment no\n\nIf the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to not allow users to override environment\nvariables to the SSH daemon.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for\n\"PermitUserEnvironment\" keyword and set the value to \"no\":\n\n PermitUserEnvironment no\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the operating system to not allow users to override environment variables to the SSH daemon.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"PermitUserEnvironment\" keyword and set the value to \"no\":\n\nPermitUserEnvironment no\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-71959": { + "describe__deleted": " describe sshd_config do\n its('HostbasedAuthentication') { should eq 'no' }\n end", "tags": { - "check_id": "C-72191r1_chk", - "severity": "medium", - "gid": "V-71959", - "rid": "SV-86583r3_rule", - "stig_id": "RHEL-07-010470", - "gtitle": "SRG-OS-000480-GPOS-00229", - "fix_id": "F-78311r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72191r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71959" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.", - "desc": "[\"Failure to restrict system access to authenticated users negatively impacts operating system security.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow a\nnon-certificate trusted host SSH logon to the system.", + "__new": "The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system." + }, + "desc": { + "__old": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "__new": "Failure to restrict system access to authenticated users negatively impacts operating system security." + }, "descs": { - "check": "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n\nCheck for the value of the \"HostbasedAuthentication\" keyword with the following command:\n\n# grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the value to \"no\":\n\nHostbasedAuthentication no\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Failure to restrict system access to authenticated users negatively\nimpacts operating system security.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system does not allow a non-certificate trusted host\nSSH logon to the system.\n\n Check for the value of the \"HostbasedAuthentication\" keyword with the\nfollowing command:\n\n # grep -i hostbasedauthentication /etc/ssh/sshd_config\n HostbasedAuthentication no\n\n If the \"HostbasedAuthentication\" keyword is not set to \"no\", is\nmissing, or is commented out, this is a finding.", + "__new": "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.\n\nCheck for the value of the \"HostbasedAuthentication\" keyword with the following command:\n\n# grep -i hostbasedauthentication /etc/ssh/sshd_config\nHostbasedAuthentication no\n\nIf the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to not allow a non-certificate trusted host\nSSH logon to the system.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for\n\"HostbasedAuthentication\" keyword and set the value to \"no\":\n\n HostbasedAuthentication no\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for \"HostbasedAuthentication\" keyword and set the value to \"no\":\n\nHostbasedAuthentication no\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-71961": { + "describe__deleted": " grub_superuser = input('grub_superuser')\n grub_user_boot_files = input('grub_user_boot_files')\n grub_main_cfg = input('grub_main_cfg')\n\n grub_main_content = file(grub_main_cfg).content\n\n if file('/sys/firmware/efi').exist?\n impact 0.0\n describe \"System running UEFI\" do\n skip \"The System is running UEFI, this control is Not Applicable.\"\n end\n else\n if os[:release] >= \"7.2\"\n impact 0.0\n describe \"System running version of RHEL that is equal to or newer than 7.2\" do\n skip \"The System is running version #{os[:release]} of RHEL, this control is Not Applicable.\"\n end\n else\n impact 0.7\n # Check if any additional superusers are set\n pattern = %r{\\s*set superusers=\\\"(\\w+)\\\"}i\n matches = grub_main_content.match(pattern)\n superusers = matches.nil? ? [] : matches.captures\n describe \"There must be only one grub2 superuser, and it must have the value #{grub_superuser}\" do\n subject { superusers }\n its('length') { should cmp 1 }\n its('first') { should cmp grub_superuser }\n end\n\n # Need each password entry that has the superuser\n pattern = %r{(.*)\\s#{grub_superuser}\\s}i\n matches = grub_main_content.match(pattern)\n password_entries = matches.nil? ? [] : matches.captures\n # Each of the entries should start with password_pbkdf2\n describe 'The grub2 superuser password entry must begin with \\'password_pbkdf2\\'' do\n subject { password_entries }\n its('length') { is_expected.to be >= 1}\n password_entries.each do |entry|\n subject { entry }\n it { should include 'password_pbkdf2'}\n end\n end\n\n # Get lines such as 'password_pbkdf2 root ${ENV}'\n pattern = %r{password_pbkdf2\\s#{grub_superuser}\\s(\\${\\w+})}i\n matches = grub_main_content.match(pattern)\n env_vars = matches.nil? ? [] : matches.captures\n if env_vars.length > 0\n # If there is an environment variable in the configuration file check that it is set with correct values by looking\n # in user.cfg files.\n env_vars = env_vars.map { |env_var| env_var.gsub(/[${}]/, '') }\n present_user_boot_files = grub_user_boot_files.select { |user_boot_file| file(user_boot_file).exist? }\n describe 'grub2 user configuration files for the superuser should be present if they set an environment variable' do\n subject { present_user_boot_files }\n its('length') { is_expected.to be >= 1 }\n present_user_boot_files.each do |user_boot_file|\n env_vars.each do |env_var|\n describe \"#{user_boot_file} should set #{env_var} to a pbkdf2 value\" do\n subject { file(user_boot_file) }\n its('content') { should match %r{^#{env_var}=grub.pbkdf2}i }\n end\n end\n end\n end\n else\n # If there are no environment variable set, look for pbkdf2 after the superuser name\n pattern = %r{password_pbkdf2\\s#{grub_superuser}\\sgrub\\.pbkdf2}i\n describe 'The grub2 superuser account password should be encrypted with pbkdf2.' do\n subject { grub_main_content }\n it { should match pattern }\n end\n end\n end\n end", "tags": { - "check_id": "C-72193r6_chk", - "severity": "high", - "gid": "V-71961", - "rid": "SV-86585r6_rule", - "stig_id": "RHEL-07-010480", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-78313r3_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-72193r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71961" - ], - "title": "Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.7, + "title": { + "__old": "Red Hat Enterprise Linux operating systems prior to version 7.2 with a\nBasic Input/Output System (BIOS) must require authentication upon booting into\nsingle-user and maintenance modes.", + "__new": "Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." + }, + "desc": { + "__old": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "__new": "If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "For systems that use UEFI, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -i password_pbkdf2 /boot/grub2/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg" + "default__deleted": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "rationale__deleted": "", + "check": { + "__old": "For systems that use UEFI, this is Not Applicable.\n For systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\n Check to see if an encrypted root password is set. On systems that use a\nBIOS, use the following command:\n\n # grep -i password_pbkdf2 /boot/grub2/grub.cfg\n\n password_pbkdf2 [superusers-account] [password-hash]\n\n If the root password entry does not begin with \"password_pbkdf2\", this is\na finding.\n\n If the \"superusers-account\" is not set to \"root\", this is a finding.", + "__new": "For systems that use UEFI, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -i password_pbkdf2 /boot/grub2/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding." + }, + "fix": { + "__old": "Configure the system to encrypt the boot password for root.\n\n Generate an encrypted grub2 password for root with the following command:\n\n Note: The hash generated is an example.\n\n # grub2-mkpasswd-pbkdf2\n\n Enter Password:\n Reenter Password:\n PBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\n Edit \"/etc/grub.d/40_custom\" and add the following lines below the\ncomments:\n\n # vi /etc/grub.d/40_custom\n\n set superusers=\"root\"\n\n password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\n Generate a new \"grub.conf\" file with the new password with the following\ncommands:\n\n # grub2-mkconfig --output=/tmp/grub2.cfg\n # mv /tmp/grub2.cfg /boot/grub2/grub.cfg", + "__new": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/grub2/grub.cfg" + } } }, "V-71963": { + "describe__deleted": " os_minor_version = os().release.split('.')[1].to_i\n\n efi_superusers = os_minor_version < 2 ? input('efi_superusers') : ['root']\n efi_superusers.push('root') if !efi_superusers.include?('root')\n efi_main_cfg = \"/boot/efi/EFI/#{os().name}/grub.cfg\"\n\n unless file('/sys/firmware/efi').exist?\n impact 0.0\n describe \"System running BIOS\" do\n skip \"The System is running BIOS, this control is Not Applicable.\"\n end\n else\n if os[:release] < \"7.2\"\n impact 0.0\n describe \"System running version of RHEL prior to 7.2\" do\n skip \"The System is running an outdated version of RHEL, this control is Not Applicable.\"\n end\n else\n impact 0.7\n efi_superusers.each do |user|\n describe file(efi_main_cfg) do\n its('content') { should match %r{^\\s*password_pbkdf2\\s+#{user} } }\n end\n end\n end\n end", "tags": { - "check_id": "C-72195r4_chk", - "severity": "high", - "gid": "V-71963", - "rid": "SV-86587r4_rule", - "stig_id": "RHEL-07-010490", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-78315r3_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-72195r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71963" - ], - "title": "Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.7, + "title": { + "__old": "Red Hat Enterprise Linux operating systems prior to version 7.2 using\nUnified Extensible Firmware Interface (UEFI) must require authentication upon\nbooting into single-user and maintenance modes.", + "__new": "Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." + }, + "desc": { + "__old": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "__new": "If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -i password /boot/efi/EFI/redhat/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg" + "default__deleted": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "rationale__deleted": "", + "check": { + "__old": "For systems that use BIOS, this is Not Applicable.\n For systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\n Check to see if an encrypted root password is set. On systems that use\nUEFI, use the following command:\n\n # grep -i password /boot/efi/EFI/redhat/grub.cfg\n\n password_pbkdf2 [superusers-account] [password-hash]\n\n If the root password entry does not begin with \"password_pbkdf2\", this is\na finding.\n\n If the \"superusers-account\" is not set to \"root\", this is a finding.", + "__new": "For systems that use BIOS, this is Not Applicable.\nFor systems that are running RHEL 7.2 or newer, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -i password /boot/efi/EFI/redhat/grub.cfg\n\npassword_pbkdf2 [superusers-account] [password-hash]\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.\n\nIf the \"superusers-account\" is not set to \"root\", this is a finding." + }, + "fix": { + "__old": "Configure the system to encrypt the boot password for root.\n\n Generate an encrypted grub2 password for root with the following command:\n\n Note: The hash generated is an example.\n\n # grub2-mkpasswd-pbkdf2\n\n Enter Password:\n Reenter Password:\n PBKDF2 hash of your password is\ngrub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\n Edit \"/etc/grub.d/40_custom\" and add the following lines below the\ncomments:\n\n # vi /etc/grub.d/40_custom\n\n set superusers=\"root\"\n\n password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\n Generate a new \"grub.conf\" file with the new password with the following\ncommands:\n\n # grub2-mkconfig --output=/tmp/grub2.cfg\n # mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg", + "__new": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n\n# grub2-mkpasswd-pbkdf2\n\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45\n\nEdit \"/etc/grub.d/40_custom\" and add the following lines below the comments:\n\n# vi /etc/grub.d/40_custom\n\nset superusers=\"root\"\n\npassword_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}\n\nGenerate a new \"grub.conf\" file with the new password with the following commands:\n\n# grub2-mkconfig --output=/tmp/grub2.cfg\n# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg" + } } }, "V-71965": { + "describe__deleted": " smart_card_status = input('smart_card_status')\n if smart_card_status.eql?('enabled')\n impact 0.5\n describe command(\"authconfig --test | grep -i smartcard\") do\n its('stdout') { should match %r{use\\sonly\\ssmartcard\\sfor\\slogin\\sis\\s#{smart_card_status}} }\n its('stdout') { should match %r{smartcard\\smodule\\s=\\s\".+\"} }\n its('stdout') { should match %r{smartcard\\sremoval\\saction\\s=\\s\".+\"} }\n end\n else\n impact 0.0\n describe \"The system is not smartcard enabled\" do\n skip \"The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72197r3_chk", - "severity": "medium", - "gid": "V-71965", - "rid": "SV-86589r2_rule", - "stig_id": "RHEL-07-010500", - "gtitle": "SRG-OS-000104-GPOS-00051", - "fix_id": "F-78317r3_fix", - "cci": [ - "CCI-000766" - ], - "nist": [ - "IA-2 (2)" - ] + "check_id__added": "C-72197r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71965" - ], - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.", - "desc": "[\"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\\n\\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:\\n\\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; \\n\\nand\\n\\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\\n\\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must uniquely identify\nand must authenticate organizational users (or processes acting on behalf of\norganizational users) using multifactor authentication.", + "__new": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication." + }, + "desc": { + "__old": "To assure accountability and prevent unauthenticated access,\norganizational users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Organizational users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nOrganizational users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication;\n\n and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "__new": "To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:\n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; \n\nand\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\n" + }, "descs": { - "check": "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf \"smartcard module\" is blank, this is a finding.", - "fix": "Configure the operating system to require individuals to be authenticated with a multifactor authenticator.\n\nEnable smartcard logons with the following commands:\n\n# authconfig --enablesmartcard --smartcardaction=0 --update\n# authconfig --enablerequiresmartcard -update\n\nModify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n\n#/usr/X11R6/bin/xscreensaver-command -lock\n\nModify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required." + "default__deleted": "To assure accountability and prevent unauthenticated access,\norganizational users must be identified and authenticated to prevent potential\nmisuse and compromise of the system.\n\n Organizational users include organizational employees or individuals the\norganization deems to have equivalent status of employees (e.g., contractors).\nOrganizational users (and processes acting on behalf of users) must be uniquely\nidentified and authenticated to all accesses, except for the following:\n\n 1) Accesses explicitly identified and documented by the organization.\nOrganizations document specific user actions that can be performed on the\ninformation system without identification or authentication;\n\n and\n\n 2) Accesses that occur through authorized use of group authenticators\nwithout individual authentication. Organizations may require unique\nidentification of individuals in group accounts (e.g., shared privilege\naccounts) or for detailed accountability of individual activity.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system requires multifactor authentication to uniquely\nidentify organizational users using multifactor authentication.\n\n Check to see if smartcard authentication is enforced on the system:\n\n # authconfig --test | grep \"pam_pkcs11 is enabled\"\n\n If no results are returned, this is a finding.\n\n # authconfig --test | grep \"smartcard removal action\"\n\n If \"smartcard removal action\" is blank, this is a finding.\n\n # authconfig --test | grep \"smartcard module\"\n\n If \"smartcard module\" is blank, this is a finding.", + "__new": "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.\n\nCheck to see if smartcard authentication is enforced on the system:\n\n# authconfig --test | grep \"pam_pkcs11 is enabled\"\n\nIf no results are returned, this is a finding.\n\n# authconfig --test | grep \"smartcard removal action\"\n\nIf \"smartcard removal action\" is blank, this is a finding.\n\n# authconfig --test | grep \"smartcard module\"\n\nIf \"smartcard module\" is blank, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require individuals to be authenticated\nwith a multifactor authenticator.\n\n Enable smartcard logons with the following commands:\n\n # authconfig --enablesmartcard --smartcardaction=0 --update\n # authconfig --enablerequiresmartcard -update\n\n Modify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the\nfollowing line:\n\n #/usr/X11R6/bin/xscreensaver-command -lock\n\n Modify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey\nmodule if required.", + "__new": "Configure the operating system to require individuals to be authenticated with a multifactor authenticator.\n\nEnable smartcard logons with the following commands:\n\n# authconfig --enablesmartcard --smartcardaction=0 --update\n# authconfig --enablerequiresmartcard -update\n\nModify the \"/etc/pam_pkcs11/pkcs11_eventmgr.conf\" file to uncomment the following line:\n\n#/usr/X11R6/bin/xscreensaver-command -lock\n\nModify the \"/etc/pam_pkcs11/pam_pkcs11.conf\" file to use the cackey module if required." + } } }, "V-71967": { + "describe__deleted": " describe package(\"rsh-server\") do\n it { should_not be_installed }\n end", "tags": { - "check_id": "C-72199r1_chk", - "severity": "high", - "gid": "V-71967", - "rid": "SV-86591r2_rule", - "stig_id": "RHEL-07-020000", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78319r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72199r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71967" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\\n\\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\\n\\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have the\nrsh-server package installed.", + "__new": "The Red Hat Enterprise Linux operating system must not have the rsh-server package installed." + }, + "desc": { + "__old": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "__new": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised." + }, "descs": { - "check": "Check to see if the rsh-server package is installed with the following command:\n\n# yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:\n\n# yum remove rsh-server" + "default__deleted": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n The rsh-server service provides an unencrypted remote access service that\ndoes not provide for the confidentiality and integrity of user passwords or the\nremote session and has very weak authentication.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.", + "rationale__deleted": "", + "check": { + "__old": "Check to see if the rsh-server package is installed with the following\ncommand:\n\n # yum list installed rsh-server\n\n If the rsh-server package is installed, this is a finding.", + "__new": "Check to see if the rsh-server package is installed with the following command:\n\n# yum list installed rsh-server\n\nIf the rsh-server package is installed, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable non-essential capabilities by\nremoving the rsh-server package from the system with the following command:\n\n # yum remove rsh-server", + "__new": "Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:\n\n# yum remove rsh-server" + } } }, "V-71969": { + "describe__deleted": " describe package(\"ypserv\") do\n it { should_not be_installed }\n end", "tags": { - "check_id": "C-72201r1_chk", - "severity": "high", - "gid": "V-71969", - "rid": "SV-86593r2_rule", - "stig_id": "RHEL-07-020010", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78321r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72201r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71969" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the ypserv package installed.", - "desc": "[\"Removing the \\\"ypserv\\\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have the ypserv\npackage installed.", + "__new": "The Red Hat Enterprise Linux operating system must not have the ypserv package installed." + }, + "desc": { + "__old": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.", + "__new": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services." + }, "descs": { - "check": "The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nCheck to see if the \"ypserve\" package is installed with the following command:\n\n# yum list installed ypserv\n\nIf the \"ypserv\" package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package from the system with the following command:\n\n# yum remove ypserv" + "default__deleted": "Removing the \"ypserv\" package decreases the risk of the accidental\n(or intentional) activation of NIS or NIS+ services.", + "rationale__deleted": "", + "check": { + "__old": "The NIS service provides an unencrypted authentication service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n Check to see if the \"ypserve\" package is installed with the following\ncommand:\n\n # yum list installed ypserv\n\n If the \"ypserv\" package is installed, this is a finding.", + "__new": "The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nCheck to see if the \"ypserve\" package is installed with the following command:\n\n# yum list installed ypserv\n\nIf the \"ypserv\" package is installed, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable non-essential capabilities by\nremoving the \"ypserv\" package from the system with the following command:\n\n # yum remove ypserv", + "__new": "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package from the system with the following command:\n\n# yum remove ypserv" + } } }, "V-71971": { + "describe__deleted": " admin_logins = input('admin_logins')\n\n if package('MFEhiplsm').installed? && processes(/hipclient/).exist?\n impact 0.0\n describe \"HIPS is active on the system\" do\n skip \"A HIPS process is active on the system, this control is Not Applicable.\"\n end\n elsif service('cma').installed? && service('cma').enabled?\n impact 0.0\n describe \"HBSS is active on the system\" do\n skip \"A HBSS service is active on the system, this control is Not Applicable.\"\n end\n else\n impact 0.5\n describe command('selinuxenabled') do\n its('exist?') { should be true }\n its('exit_status') { should eq 0 }\n end\n\n selinux_mode = file('/etc/selinux/config').content.lines.\n grep(/\\A\\s*SELINUXTYPE=/).last.split('=').last.strip\n\n seusers = file(\"/etc/selinux/#{selinux_mode}/seusers\").content.lines.\n grep_v(/(#|\\A\\s+\\Z)/).map(&:strip)\n\n seusers = seusers.map{|x| x.split(':')[0..1]}\n\n describe 'seusers' do\n it { expect(seusers).to_not be_empty }\n end\n\n users_to_ignore = [\n 'root',\n 'system_u'\n ]\n\n seusers.each do |user, context|\n next if users_to_ignore.include?(user)\n\n describe \"SELinux login #{user}\" do\n if user == '__default__'\n let(:valid_users){[ 'user_u' ]}\n elsif admin_logins.include?(user)\n let(:valid_users){[\n 'sysadm_u',\n 'staff_u'\n ]}\n else\n let(:valid_users){[\n 'user_u',\n 'guest_u',\n 'xguest_u'\n ]}\n end\n\n it { expect(context).to be_in(valid_users) }\n end\n end\n end", "tags": { - "check_id": "C-72203r3_chk", - "severity": "medium", - "gid": "V-71971", - "rid": "SV-86595r3_rule", - "stig_id": "RHEL-07-020020", - "gtitle": "SRG-OS-000324-GPOS-00125", - "fix_id": "F-78323r2_fix", - "cci": [ - "CCI-002165", - "CCI-002235" - ], - "nist": [ - "AC-3 (4)", - "AC-6 (10)" - ] + "check_id__added": "C-72203r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-86595r2_rule", + "__new": "SV-86595r3_rule" + }, + "fix_id": { + "__old": "F-78323r1_fix", + "__new": "F-78323r2_fix" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71971" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", - "desc": "[\"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\\n\\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent\nnon-privileged users from executing privileged functions to include disabling,\ncircumventing, or altering implemented security safeguards/countermeasures.", + "__new": "The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." + }, + "desc": { + "__old": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Privileged functions include, for example, establishing accounts,\nperforming system integrity checks, or administering cryptographic key\nmanagement activities. Non-privileged users are individuals who do not possess\nappropriate authorizations. Circumventing intrusion detection and prevention\nmechanisms or malicious code protection mechanisms are examples of privileged\nfunctions that require protection from non-privileged users.", + "__new": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users." + }, "descs": { - "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nGet a list of authorized users (other than System Administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n# semanage login -l | more\n\nLogin Name SELinux User MLS/MCS Range Service\n__default__ user_u s0-s0:c0.c1023 *\nroot unconfined_u s0-s0:c0.c1023 *\nsystem_u system_u s0-s0:c0.c1023 *\njoe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized non-administrative users must be mapped to the \"user_u\" role. \n\nIf they are not mapped in this way, this is a finding.", - "fix": "Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role: \n\n#semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n#semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n#semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n#semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n# semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n# semanage login -m -s user_u " + "default__deleted": "Preventing non-privileged users from executing privileged functions\nmitigates the risk that unauthorized individuals or processes may gain\nunnecessary access to information or privileges.\n\n Privileged functions include, for example, establishing accounts,\nperforming system integrity checks, or administering cryptographic key\nmanagement activities. Non-privileged users are individuals who do not possess\nappropriate authorizations. Circumventing intrusion detection and prevention\nmechanisms or malicious code protection mechanisms are examples of privileged\nfunctions that require protection from non-privileged users.", + "rationale__deleted": "", + "check": { + "__old": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\n Verify the operating system prevents non-privileged users from executing\nprivileged functions to include disabling, circumventing, or altering\nimplemented security safeguards/countermeasures.\n\n Get a list of authorized users (other than System Administrator and guest\naccounts) for the system.\n\n Check the list against the system by using the following command:\n\n # semanage login -l | more\n Login Name SELinux User MLS/MCS Range Service\n __default__ user_u s0-s0:c0.c1023 *\n root unconfined_u s0-s0:c0.c1023 *\n system_u system_u s0-s0:c0.c1023 *\n joe staff_u s0-s0:c0.c1023 *\n\n All administrators must be mapped to the \"sysadm_u\" or \"staff_u\" users\nrole.\n\n All authorized non-administrative users must be mapped to the \"user_u\"\nrole.\n\n If they are not mapped in this way, this is a finding.", + "__new": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nGet a list of authorized users (other than System Administrator and guest accounts) for the system.\n\nCheck the list against the system by using the following command:\n\n# semanage login -l | more\n\nLogin Name SELinux User MLS/MCS Range Service\n__default__ user_u s0-s0:c0.c1023 *\nroot unconfined_u s0-s0:c0.c1023 *\nsystem_u system_u s0-s0:c0.c1023 *\njoe staff_u s0-s0:c0.c1023 *\n\nAll administrators must be mapped to the \"sysadm_u\", \"staff_u\", or an appropriately tailored confined role as defined by the organization.\n\nAll authorized non-administrative users must be mapped to the \"user_u\" role. \n\nIf they are not mapped in this way, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent non-privileged users from\nexecuting privileged functions to include disabling, circumventing, or altering\nimplemented security safeguards/countermeasures.\n\n Use the following command to map a new user to the \"sysdam_u\" role:\n\n #semanage login -a -s sysadm_u \n\n Use the following command to map an existing user to the \"sysdam_u\" role:\n\n #semanage login -m -s sysadm_u \n\n Use the following command to map a new user to the \"staff_u\" role:\n\n #semanage login -a -s staff_u \n\n Use the following command to map an existing user to the \"staff_u\" role:\n\n #semanage login -m -s staff_u \n\n Use the following command to map a new user to the \"user_u\" role:\n\n # semanage login -a -s user_u \n\n Use the following command to map an existing user to the \"user_u\" role:\n\n # semanage login -m -s user_u ", + "__new": "Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.\n\nUse the following command to map a new user to the \"sysadm_u\" role: \n\n#semanage login -a -s sysadm_u \n\nUse the following command to map an existing user to the \"sysadm_u\" role:\n\n#semanage login -m -s sysadm_u \n\nUse the following command to map a new user to the \"staff_u\" role:\n\n#semanage login -a -s staff_u \n\nUse the following command to map an existing user to the \"staff_u\" role:\n\n#semanage login -m -s staff_u \n\nUse the following command to map a new user to the \"user_u\" role:\n\n# semanage login -a -s user_u \n\nUse the following command to map an existing user to the \"user_u\" role:\n\n# semanage login -m -s user_u " + } } }, "V-71973": { + "describe__deleted": " file_integrity_tool = input('file_integrity_tool')\n file_integrity_interval = input('file_integrity_interval')\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\n\n if file_integrity_interval == 'monthly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.monthly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where { command =~ %r{#{file_integrity_tool}} } do\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n describe crontab('root').where { command =~ %r{#{file_integrity_tool}} } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'weekly'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n describe crontab('root').where { command =~ %r{#{file_integrity_tool}} } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n end\n end\n elsif file_integrity_interval == 'daily'\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n it { should exist }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n describe crontab('root').where { command =~ %r{#{file_integrity_tool}} } do\n its('days') { should cmp '*' }\n its('months') { should cmp '*' }\n its('weekdays') { should cmp '*' }\n end\n end\n end", "tags": { - "check_id": "C-72205r2_chk", - "severity": "medium", - "gid": "V-71973", - "rid": "SV-86597r2_rule", - "stig_id": "RHEL-07-020030", - "gtitle": "SRG-OS-000363-GPOS-00150", - "fix_id": "F-78325r2_fix", - "cci": [ - "CCI-001744" - ], - "nist": [ - "CM-3 (5)" - ] + "check_id__added": "C-72205r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71973" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.", - "desc": "[\"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\\n\\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat a file integrity tool verifies the baseline operating system configuration\nat least weekly.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly." + }, + "desc": { + "__old": "Unauthorized changes to the baseline configuration could make the\nsystem vulnerable to various attacks or allow unauthorized access to the\noperating system. Changes to operating system configurations can have\nunintended side effects, some of which may be relevant to security.\n\n Detecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security\nstate of the operating system. The operating system's Information Management\nOfficer (IMO)/Information System Security Officer (ISSO) and System\nAdministrators (SAs) must be notified via email and/or monitoring system trap\nwhen there is an unauthorized modification of a configuration item.", + "__new": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item." + }, "descs": { - "check": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.", - "fix": "Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: \n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + "default__deleted": "Unauthorized changes to the baseline configuration could make the\nsystem vulnerable to various attacks or allow unauthorized access to the\noperating system. Changes to operating system configurations can have\nunintended side effects, some of which may be relevant to security.\n\n Detecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security\nstate of the operating system. The operating system's Information Management\nOfficer (IMO)/Information System Security Officer (ISSO) and System\nAdministrators (SAs) must be notified via email and/or monitoring system trap\nwhen there is an unauthorized modification of a configuration item.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system routinely checks the baseline configuration for\nunauthorized changes.\n\n Note: A file integrity tool other than Advanced Intrusion Detection\nEnvironment (AIDE) may be used, but the tool must be executed at least once per\nweek.\n\n Check to see if AIDE is installed on the system with the following command:\n\n # yum list installed aide\n\n If AIDE is not installed, ask the SA how file integrity checks are\nperformed on the system.\n\n Check for the presence of a cron job running daily or weekly on the system\nthat executes AIDE daily to scan for changes to the system baseline. The\ncommand used in the example will use a daily occurrence.\n\n Check the cron directories for a script file controlling the execution of\nthe file integrity application. For example, if AIDE is installed on the\nsystem, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * /root/aide\n /var/spool/cron/root: 30 04 * * * /root/aide\n\n If the file integrity application does not exist, or a script file\ncontrolling the execution of the file integrity application does not exist,\nthis is a finding.", + "__new": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nIf the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding." + }, + "fix": { + "__old": "Configure the file integrity tool to run automatically on the system at\nleast weekly. The following example output is generic. It will set cron to run\nAIDE daily, but other file integrity tools may be used:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity\ncheck run\" root@sysname.mil", + "__new": "Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: \n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + } } }, "V-71975": { + "describe__deleted": " file_integrity_tool = input('file_integrity_tool')\n\n describe package(file_integrity_tool) do\n it { should be_installed }\n end\n describe.one do\n describe file(\"/etc/cron.daily/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe file(\"/etc/cron.weekly/#{file_integrity_tool}\") do\n its('content') { should match %r{/bin/mail} }\n end\n describe crontab('root').where { command =~ %r{#{file_integrity_tool}} } do\n its('commands.flatten') { should include(match %r{/bin/mail}) }\n end\n if file(\"/etc/cron.d/#{file_integrity_tool}\").exist?\n describe crontab(path: \"/etc/cron.d/#{file_integrity_tool}\") do\n its('commands') { should include(match %r{/bin/mail}) }\n end\n end\n end", "tags": { - "check_id": "C-72207r2_chk", - "severity": "medium", - "gid": "V-71975", - "rid": "SV-86599r2_rule", - "stig_id": "RHEL-07-020040", - "gtitle": "SRG-OS-000363-GPOS-00150", - "fix_id": "F-78327r3_fix", - "cci": [ - "CCI-001744" - ], - "nist": [ - "CM-3 (5)" - ] + "check_id__added": "C-72207r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71975" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.", - "desc": "[\"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\\n\\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat designated personnel are notified if baseline configurations are changed\nin an unauthorized manner.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner." + }, + "desc": { + "__old": "Unauthorized changes to the baseline configuration could make the\nsystem vulnerable to various attacks or allow unauthorized access to the\noperating system. Changes to operating system configurations can have\nunintended side effects, some of which may be relevant to security.\n\n Detecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security\nstate of the operating system. The operating system's Information Management\nOfficer (IMO)/Information System Security Officer (ISSO) and System\nAdministrators (SAs) must be notified via email and/or monitoring system trap\nwhen there is an unauthorized modification of a configuration item.", + "__new": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item." + }, "descs": { - "check": "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system. \n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 32 Jul 1 2011 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding.", - "fix": "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. \n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. \n\n# more /etc/cron.daily/aide\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + "default__deleted": "Unauthorized changes to the baseline configuration could make the\nsystem vulnerable to various attacks or allow unauthorized access to the\noperating system. Changes to operating system configurations can have\nunintended side effects, some of which may be relevant to security.\n\n Detecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security\nstate of the operating system. The operating system's Information Management\nOfficer (IMO)/Information System Security Officer (ISSO) and System\nAdministrators (SAs) must be notified via email and/or monitoring system trap\nwhen there is an unauthorized modification of a configuration item.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system notifies designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\n Note: A file integrity tool other than Advanced Intrusion Detection\nEnvironment (AIDE) may be used, but the tool must be executed and notify\nspecified individuals via email or an alert.\n\n Check to see if AIDE is installed on the system with the following command:\n\n # yum list installed aide\n\n If AIDE is not installed, ask the SA how file integrity checks are\nperformed on the system.\n\n Check for the presence of a cron job running routinely on the system that\nexecutes AIDE to scan for changes to the system baseline. The commands used in\nthe example will use a daily occurrence.\n\n Check the cron directories for a \"crontab\" script file controlling the\nexecution of the file integrity application. For example, if AIDE is installed\non the system, use the following command:\n\n # ls -al /etc/cron.* | grep aide\n -rwxr-xr-x 1 root root 32 Jul 1 2011 aide\n\n # grep aide /etc/crontab /var/spool/cron/root\n /etc/crontab: 30 04 * * * /root/aide\n /var/spool/cron/root: 30 04 * * * /root/aide\n\n AIDE does not have a configuration that will send a notification, so the\ncron job uses the mail application on the system to email the results of the\nfile integrity run as in the following example:\n\n # more /etc/cron.daily/aide\n #!/bin/bash\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity\ncheck run\" root@sysname.mil\n\n If the file integrity application does not notify designated personnel of\nchanges, this is a finding.", + "__new": "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.\n\nNote: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.\n\nCheck to see if AIDE is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the SA how file integrity checks are performed on the system. \n\nCheck for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.\n\nCheck the cron directories for a \"crontab\" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n# ls -al /etc/cron.* | grep aide\n-rwxr-xr-x 1 root root 32 Jul 1 2011 aide\n\n# grep aide /etc/crontab /var/spool/cron/root\n/etc/crontab: 30 04 * * * /root/aide\n/var/spool/cron/root: 30 04 * * * /root/aide\n\nAIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:\n\n# more /etc/cron.daily/aide\n#!/bin/bash\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not notify designated personnel of changes, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner. The AIDE tool can be\nconfigured to email designated personnel with the use of the cron system.\n\n The following example output is generic. It will set cron to run AIDE daily\nand to send email at the completion of the analysis.\n\n # more /etc/cron.daily/aide\n\n /usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity\ncheck run\" root@sysname.mil", + "__new": "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. \n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. \n\n# more /etc/cron.daily/aide\n\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil" + } } }, "V-71977": { + "describe__deleted": " yum_conf = '/etc/yum.conf'\n\n if ((f = file(yum_conf)).exist?)\n describe ini(yum_conf) do\n its('main.gpgcheck') { should cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end", "tags": { - "check_id": "C-72209r1_chk", - "severity": "high", - "gid": "V-71977", - "rid": "SV-86601r2_rule", - "stig_id": "RHEL-07-020050", - "gtitle": "SRG-OS-000366-GPOS-00153", - "fix_id": "F-78329r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72209r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71977" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.", - "desc": "[\"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\\n\\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\\n\\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent the\ninstallation of software, patches, service packs, device drivers, or operating\nsystem components from a repository without verification they have been\ndigitally signed using a certificate that is issued by a Certificate Authority\n(CA) that is recognized and approved by the organization.", + "__new": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + }, + "desc": { + "__old": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "__new": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA." + }, "descs": { - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of packages from a repository prior to install with the following command:\n\n# grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. \n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\ngpgcheck=1" + "default__deleted": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components from a repository without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check that yum verifies the signature of packages from a repository prior\nto install with the following command:\n\n # grep gpgcheck /etc/yum.conf\n gpgcheck=1\n\n If \"gpgcheck\" is not set to \"1\", or if options are missing or commented\nout, ask the System Administrator how the certificates for patches and other\noperating system components are verified.\n\n If there is no process to validate certificates that is approved by the\norganization, this is a finding.", + "__new": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of packages from a repository prior to install with the following command:\n\n# grep gpgcheck /etc/yum.conf\ngpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. \n\nIf there is no process to validate certificates that is approved by the organization, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to verify the signature of packages from a\nrepository prior to install by setting the following option in the\n\"/etc/yum.conf\" file:\n\n gpgcheck=1", + "__new": "Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\ngpgcheck=1" + } } }, "V-71979": { + "describe__deleted": " yum_conf = '/etc/yum.conf'\n\n if ((f = file(yum_conf)).exist?)\n describe ini(yum_conf) do\n its('main.localpkg_gpgcheck') { cmp 1 }\n end\n else\n describe f do\n it { should exist }\n end\n end", "tags": { - "check_id": "C-72211r1_chk", - "severity": "high", - "gid": "V-71979", - "rid": "SV-86603r2_rule", - "stig_id": "RHEL-07-020060", - "gtitle": "SRG-OS-000366-GPOS-00153", - "fix_id": "F-78331r1_fix", - "cci": [ - "CCI-001749" - ], - "nist": [ - "CM-5 (3)" - ] + "check_id__added": "C-72211r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71979" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.", - "desc": "[\"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\\n\\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\\n\\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent the\ninstallation of software, patches, service packs, device drivers, or operating\nsystem components of local packages without verification they have been\ndigitally signed using a certificate that is issued by a Certificate Authority\n(CA) that is recognized and approved by the organization.", + "__new": "The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + }, + "desc": { + "__old": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "__new": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA." + }, "descs": { - "check": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of local packages prior to install with the following command:\n\n# grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\nIf \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. \n\nIf there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.", - "fix": "Configure the operating system to verify the signature of local packages prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\nlocalpkg_gpgcheck=1" + "default__deleted": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the software\nhas not been tampered with and that it has been provided by a trusted vendor.\n\n Accordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by the\norganization.\n\n Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This verifies the\nsoftware has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The\noperating system should not have to verify the software again. This requirement\ndoes not mandate DoD certificates for this purpose; however, the certificate\nused to verify the software must be from an approved CA.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents the installation of patches, service\npacks, device drivers, or operating system components of local packages without\nverification that they have been digitally signed using a certificate that is\nrecognized and approved by the organization.\n\n Check that yum verifies the signature of local packages prior to install\nwith the following command:\n\n # grep localpkg_gpgcheck /etc/yum.conf\n localpkg_gpgcheck=1\n\n If \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or\ncommented out, ask the System Administrator how the signatures of local\npackages and other operating system components are verified.\n\n If there is no process to validate the signatures of local packages that is\napproved by the organization, this is a finding.", + "__new": "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that yum verifies the signature of local packages prior to install with the following command:\n\n# grep localpkg_gpgcheck /etc/yum.conf\nlocalpkg_gpgcheck=1\n\nIf \"localpkg_gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. \n\nIf there is no process to validate the signatures of local packages that is approved by the organization, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to verify the signature of local packages\nprior to install by setting the following option in the \"/etc/yum.conf\" file:\n\n localpkg_gpgcheck=1", + "__new": "Configure the operating system to verify the signature of local packages prior to install by setting the following option in the \"/etc/yum.conf\" file:\n\nlocalpkg_gpgcheck=1" + } } }, "V-71983": { + "describe__deleted": " unless input('data_loss_prevention_installed')\n impact 0.0\n describe \"The system is not using an HBSS with a Device Control Module and a Data Loss Prevention mechanism\" do\n skip \"The system is not using an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this control is Not Applicable.\"\n end\n else\n describe kernel_module('usb_storage') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n end", "tags": { - "check_id": "C-72215r4_chk", - "severity": "medium", - "gid": "V-71983", - "rid": "SV-86607r4_rule", - "stig_id": "RHEL-07-020100", - "gtitle": "SRG-OS-000114-GPOS-00059", - "fix_id": "F-78335r4_fix", - "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" - ], - "nist": [ - "CM-6 b", - "IA-3", - "IA-3" - ] + "check_id__added": "C-72215r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71983" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.", - "desc": "[\"USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\ndisable USB mass storage.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage." + }, + "desc": { + "__old": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", + "__new": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n" + }, "descs": { - "check": "If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.\n\nVerify the operating system disables the ability to load the USB Storage kernel module.\n\n# grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall usb-storage /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\nblacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the USB Storage kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/usb-storage.conf\n\nAdd the following line to the created file:\n\ninstall usb-storage /bin/true\n\nConfigure the operating system to disable the ability to use USB mass storage devices.\n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist usb-storage" + "default__deleted": "USB mass storage permits easy introduction of unknown devices, thereby\nfacilitating malicious activity.", + "rationale__deleted": "", + "check": { + "__old": "If there is an HBSS with a Device Control Module and a Data Loss Prevention\nmechanism, this requirement is not applicable.\n\n Verify the operating system disables the ability to load the USB Storage\nkernel module.\n\n # grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v\n\"^#\"\n\n install usb-storage /bin/true\n\n If the command does not return any output, or the line is commented out,\nand use of USB Storage is not documented with the Information System Security\nOfficer (ISSO) as an operational requirement, this is a finding.\n\n Verify the operating system disables the ability to use USB mass storage\ndevices.\n\n Check to see if USB mass storage is disabled with the following command:\n\n # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v\n\"^#\"\n blacklist usb-storage\n\n If the command does not return any output or the output is not \"blacklist\nusb-storage\", and use of USB storage devices is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "__new": "If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.\n\nVerify the operating system disables the ability to load the USB Storage kernel module.\n\n# grep -r usb-storage /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall usb-storage /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use USB mass storage devices.\n\nCheck to see if USB mass storage is disabled with the following command:\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\nblacklist usb-storage\n\nIf the command does not return any output or the output is not \"blacklist usb-storage\", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable the ability to use the USB\nStorage kernel module.\n\n Create a file under \"/etc/modprobe.d\" with the following command:\n\n # touch /etc/modprobe.d/usb-storage.conf\n\n Add the following line to the created file:\n\n install usb-storage /bin/true\n\n Configure the operating system to disable the ability to use USB mass\nstorage devices.\n\n # vi /etc/modprobe.d/blacklist.conf\n\n Add or update the line:\n\n blacklist usb-storage", + "__new": "Configure the operating system to disable the ability to use the USB Storage kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/usb-storage.conf\n\nAdd the following line to the created file:\n\ninstall usb-storage /bin/true\n\nConfigure the operating system to disable the ability to use USB mass storage devices.\n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist usb-storage" + } } }, "V-71985": { + "describe__deleted": " describe systemd_service('autofs.service') do\n it { should_not be_running }\n it { should_not be_enabled }\n it { should_not be_installed }\n end", "tags": { - "check_id": "C-72217r1_chk", - "severity": "medium", - "gid": "V-71985", - "rid": "SV-86609r2_rule", - "stig_id": "RHEL-07-020110", - "gtitle": "SRG-OS-000114-GPOS-00059", - "fix_id": "F-78337r2_fix", - "cci": [ - "CCI-000366", - "CCI-000778", - "CCI-001958" - ], - "nist": [ - "CM-6 b", - "IA-3", - "IA-3" - ] + "check_id__added": "C-72217r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71985" - ], - "title": "The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.", - "desc": "[\"Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\\n\\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must disable the file\nsystem automounter unless required.", + "__new": "The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." + }, + "desc": { + "__old": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "__new": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\n" + }, "descs": { - "check": "Verify the operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\nautofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\nIf the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following commands:\n\n# systemctl stop autofs\n# systemctl disable autofs\n\nIf \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO." + "default__deleted": "Automatically mounting file systems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system disables the ability to automount devices.\n\n Check to see if automounter service is active with the following command:\n\n # systemctl status autofs\n autofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\n If the \"autofs\" status is set to \"active\" and is not documented with\nthe Information System Security Officer (ISSO) as an operational requirement,\nthis is a finding.", + "__new": "Verify the operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n# systemctl status autofs\nautofs.service - Automounts filesystems on demand\n Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\n Active: inactive (dead)\n\nIf the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable the ability to automount devices.\n\n Turn off the automount service with the following commands:\n\n # systemctl stop autofs\n # systemctl disable autofs\n\n If \"autofs\" is required for Network File System (NFS), it must be\ndocumented with the ISSO.", + "__new": "Configure the operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following commands:\n\n# systemctl stop autofs\n# systemctl disable autofs\n\nIf \"autofs\" is required for Network File System (NFS), it must be documented with the ISSO." + } } }, "V-71987": { + "describe__deleted": " describe parse_config_file(\"/etc/yum.conf\") do\n its('main.clean_requirements_on_remove') { should match %r{1|True|yes}i }\n end", "tags": { - "check_id": "C-72219r1_chk", - "severity": "low", - "gid": "V-71987", - "rid": "SV-86611r2_rule", - "stig_id": "RHEL-07-020200", - "gtitle": "SRG-OS-000437-GPOS-00194", - "fix_id": "F-78339r1_fix", - "cci": [ - "CCI-002617" - ], - "nist": [ - "SI-2 (6)" - ] + "check_id__added": "C-72219r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71987" - ], - "title": "The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.", - "desc": "[\"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must remove all software\ncomponents after updated versions have been installed.", + "__new": "The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed." + }, + "desc": { + "__old": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", + "__new": "Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system." + }, "descs": { - "check": "Verify the operating system removes all software components after updated versions have been installed.\n\nCheck if yum is configured to remove unneeded packages with the following command:\n\n# grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding.", - "fix": "Configure the operating system to remove all software components after updated versions have been installed.\n\nSet the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n\nclean_requirements_on_remove=1" + "default__deleted": "Previous versions of software components that are not removed from the\ninformation system after updates have been installed may be exploited by\nadversaries. Some information technology products may remove older versions of\nsoftware automatically from the information system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system removes all software components after updated\nversions have been installed.\n\n Check if yum is configured to remove unneeded packages with the following\ncommand:\n\n # grep -i clean_requirements_on_remove /etc/yum.conf\n clean_requirements_on_remove=1\n\n If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or\n\"yes\", or is not set in \"/etc/yum.conf\", this is a finding.", + "__new": "Verify the operating system removes all software components after updated versions have been installed.\n\nCheck if yum is configured to remove unneeded packages with the following command:\n\n# grep -i clean_requirements_on_remove /etc/yum.conf\nclean_requirements_on_remove=1\n\nIf \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to remove all software components after\nupdated versions have been installed.\n\n Set the \"clean_requirements_on_remove\" option to \"1\" in the\n\"/etc/yum.conf\" file:\n\n clean_requirements_on_remove=1", + "__new": "Configure the operating system to remove all software components after updated versions have been installed.\n\nSet the \"clean_requirements_on_remove\" option to \"1\" in the \"/etc/yum.conf\" file:\n\nclean_requirements_on_remove=1" + } } }, "V-71989": { + "describe__deleted": " if package('MFEhiplsm').installed? && processes(/hipclient/).exist?\n impact 0.0\n describe \"HIPS is active on the system\" do\n skip \"A HIPS process is active on the system, this control is Not Applicable.\"\n end\n elsif service('cma').installed? && service('cma').enabled?\n impact 0.0\n describe \"HBSS is active on the system\" do\n skip \"A HBSS service is active on the system, this control is Not Applicable.\"\n end\n else\n impact 0.7\n describe command('getenforce') do\n its('stdout.strip') { should eq 'Enforcing' }\n end\n end", "tags": { - "check_id": "C-72221r6_chk", - "severity": "high", - "gid": "V-71989", - "rid": "SV-86613r3_rule", - "stig_id": "RHEL-07-020210", - "gtitle": "SRG-OS-000445-GPOS-00199", - "fix_id": "F-78341r2_fix", - "cci": [ - "CCI-002165", - "CCI-002696" - ], - "nist": [ - "AC-3 (4)", - "SI-6 a" - ] + "check_id__added": "C-72221r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71989" - ], - "title": "The Red Hat Enterprise Linux operating system must enable SELinux.", - "desc": "[\"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\\n\\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false\"]", - "impact": 0.7, + "desc": { + "__old": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "__new": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality." + }, "descs": { - "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n\n# getenforce\nEnforcing\n\nIf \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUX=enforcing\n\nA reboot is required for the changes to take effect." + "default__deleted": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "rationale__deleted": "", + "check": { + "__old": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\n Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and in \"Enforcing\" mode with the following\ncommand:\n\n # getenforce\n Enforcing\n\n If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a\nfinding.", + "__new": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and in \"Enforcing\" mode with the following command:\n\n# getenforce\nEnforcing\n\nIf \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUX=enforcing\n\n A reboot is required for the changes to take effect.", + "__new": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinux\" status and the \"Enforcing\" mode by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUX=enforcing\n\nA reboot is required for the changes to take effect." + } } }, "V-71991": { + "describe__deleted": " describe.one do\n describe command('sestatus') do\n its('stdout') { should match %r{^Policy\\sfrom\\sconfigs\\sfile:\\s+targeted\\n?$} }\n end\n describe command('sestatus') do\n its('stdout') { should match %r{^Loaded\\spolicy\\sname:\\s+targeted\\n?$} }\n end\n end", "tags": { - "check_id": "C-72223r8_chk", - "severity": "high", - "gid": "V-71991", - "rid": "SV-86615r5_rule", - "stig_id": "RHEL-07-020220", - "gtitle": "SRG-OS-000445-GPOS-00199", - "fix_id": "F-78343r2_fix", - "cci": [ - "CCI-002165", - "CCI-002696" - ], - "nist": [ - "AC-3 (4)", - "SI-6 a" - ] + "check_id__added": "C-72223r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71991" - ], - "title": "The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.", - "desc": "[\"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\\n\\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must enable the SELinux\ntargeted policy.", + "__new": "The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy." + }, + "desc": { + "__old": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "__new": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality." + }, "descs": { - "check": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n\n# sestatus\n\nSELinux status: enabled\n\nSELinuxfs mount: /selinux\n\nSELinux root directory: /etc/selinux\n\nLoaded policy name: targeted\n\nCurrent mode: enforcing\n\nMode from config file: enforcing\n\nPolicy MLS status: enabled\n\nPolicy deny_unknown status: allowed\n\nMax kernel policy version: 28\n\nIf the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\nVerify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n\n# grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\nSELINUXTYPE = targeted\n\nIf no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding.", - "fix": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUXTYPE=targeted\n\nA reboot is required for the changes to take effect." + "default__deleted": "Without verification of the security functions, security functions may\nnot operate correctly and the failure may go unnoticed. Security function is\ndefined as the hardware, software, and/or firmware of the information system\nresponsible for enforcing the system security policy and supporting the\nisolation of code and data on which the protection is based. Security\nfunctionality includes, but is not limited to, establishing system accounts,\nconfiguring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\n This requirement applies to operating systems performing security function\nverification/testing and/or systems and environments that require this\nfunctionality.", + "rationale__deleted": "", + "check": { + "__old": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\n Verify the operating system verifies correct operation of all security\nfunctions.\n\n Check if \"SELinux\" is active and is enforcing the targeted policy with\nthe following command:\n\n # sestatus\n\n SELinux status: enabled\n\n SELinuxfs mount: /selinux\n\n SELinux root directory: /etc/selinux\n\n Loaded policy name: targeted\n\n Current mode: enforcing\n\n Mode from config file: enforcing\n\n Policy MLS status: enabled\n\n Policy deny_unknown status: allowed\n\n Max kernel policy version: 28\n\n If the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\n Verify that the /etc/selinux/config file is configured to the\n\"SELINUXTYPE\" to \"targeted\":\n\n # grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\n SELINUXTYPE = targeted\n\n If no results are returned or \"SELINUXTYPE\" is not set to \"targeted\",\nthis is a finding.", + "__new": "If an HBSS or HIPS is active on the system, this is Not Applicable.\n\nVerify the operating system verifies correct operation of all security functions.\n\nCheck if \"SELinux\" is active and is enforcing the targeted policy with the following command:\n\n# sestatus\n\nSELinux status: enabled\n\nSELinuxfs mount: /selinux\n\nSELinux root directory: /etc/selinux\n\nLoaded policy name: targeted\n\nCurrent mode: enforcing\n\nMode from config file: enforcing\n\nPolicy MLS status: enabled\n\nPolicy deny_unknown status: allowed\n\nMax kernel policy version: 28\n\nIf the \"Loaded policy name\" is not set to \"targeted\", this is a finding.\n\nVerify that the /etc/selinux/config file is configured to the \"SELINUXTYPE\" to \"targeted\":\n\n# grep -i \"selinuxtype\" /etc/selinux/config | grep -v '^#'\n\nSELINUXTYPE = targeted\n\nIf no results are returned or \"SELINUXTYPE\" is not set to \"targeted\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to verify correct operation of all security\nfunctions.\n\n Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the\n\"/etc/selinux/config\" file to have the following line:\n\n SELINUXTYPE=targeted\n\n A reboot is required for the changes to take effect.", + "__new": "Configure the operating system to verify correct operation of all security functions.\n\nSet the \"SELinuxtype\" to the \"targeted\" policy by modifying the \"/etc/selinux/config\" file to have the following line:\n\nSELINUXTYPE=targeted\n\nA reboot is required for the changes to take effect." + } } }, "V-71993": { + "describe__deleted": " describe systemd_service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end", "tags": { - "check_id": "C-72225r5_chk", - "severity": "high", - "gid": "V-71993", - "rid": "SV-86617r5_rule", - "stig_id": "RHEL-07-020230", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78345r6_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72225r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71993" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.", - "desc": "[\"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line." + }, + "desc": { + "__old": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "__new": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken." + }, "descs": { - "check": "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n# systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:\n\n# systemctl mask ctrl-alt-del.target" + "default__deleted": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\n Check that the ctrl-alt-del.target is masked and not active with the\nfollowing command:\n\n # systemctl status ctrl-alt-del.target\n\n ctrl-alt-del.target\n Loaded: masked (/dev/null; bad)\n Active: inactive (dead)\n\n If the ctrl-alt-del.target is not masked, this is a finding.\n\n If the ctrl-alt-del.target is active, this is a finding.", + "__new": "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active with the following command:\n\n# systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (/dev/null; bad)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.\n\nIf the ctrl-alt-del.target is active, this is a finding." + }, + "fix": { + "__old": "Configure the system to disable the Ctrl-Alt-Delete sequence for the\ncommand line with the following command:\n\n # systemctl mask ctrl-alt-del.target", + "__new": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:\n\n# systemctl mask ctrl-alt-del.target" + } } }, "V-71995": { + "describe__deleted": " if login_defs.read_params[\"UMASK\"].eql?('000')\n impact 0.7\n else\n impact 0.5\n end\n describe login_defs do\n its('UMASK') { should eq '077' }\n end", "tags": { - "check_id": "C-72227r1_chk", - "severity": "medium", - "gid": "V-71995", - "rid": "SV-86619r2_rule", - "stig_id": "RHEL-07-020240", - "gtitle": "SRG-OS-000480-GPOS-00228", - "fix_id": "F-78347r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72227r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71995" - ], - "title": "The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.", - "desc": "[\"Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must define default\npermissions for all authenticated users in such a way that the user can only\nread and modify their own files.", + "__new": "The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." + }, + "desc": { + "__old": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", + "__new": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access." + }, "descs": { - "check": "Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nCheck for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding.", - "fix": "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n\nUMASK 077" + "default__deleted": "Setting the most restrictive default permissions ensures that when new\naccounts are created, they do not have unnecessary access.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system defines default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Check for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file\nwith the following command:\n\n Note: If the value of the \"UMASK\" parameter is set to \"000\" in\n\"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n # grep -i umask /etc/login.defs\n UMASK 077\n\n If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\"\nparameter is missing or is commented out, this is a finding.", + "__new": "Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nCheck for the value of the \"UMASK\" parameter in \"/etc/login.defs\" file with the following command:\n\nNote: If the value of the \"UMASK\" parameter is set to \"000\" in \"/etc/login.defs\" file, the Severity is raised to a CAT I.\n\n# grep -i umask /etc/login.defs\nUMASK 077\n\nIf the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to define default permissions for all\nauthenticated users in such a way that the user can only read and modify their\nown files.\n\n Add or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\"\nfile to \"077\":\n\n UMASK 077", + "__new": "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n\nUMASK 077" + } } }, "V-71997": { + "describe__deleted": " describe file('/etc/redhat-release') do\n its('content') { should match %r{Release (6.7*|7.[2-9].*)}i }\n end", "tags": { - "check_id": "C-72229r11_chk", - "severity": "high", - "gid": "V-71997", - "rid": "SV-86621r5_rule", - "stig_id": "RHEL-07-020250", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78349r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72229r11_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71997" - ], - "title": "The Red Hat Enterprise Linux operating system must be a vendor supported release.", - "desc": "[\"An operating system release is considered \\\"supported\\\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be a vendor\nsupported release.", + "__new": "The Red Hat Enterprise Linux operating system must be a vendor supported release." + }, + "desc": { + "__old": "An operating system release is considered \"supported\" if the vendor\ncontinues to provide security patches for the product. With an unsupported\nrelease, it will not be possible to resolve security issues discovered in the\nsystem software.", + "__new": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software." + }, "descs": { - "check": "Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 7.4 (Maipo)\n\nCurrent End of Life for RHEL 7.1 is 31 March 2017.\n\nCurrent End of Life for RHEL 7.2 is 30 November 2017.\n\nCurrent End of Life for RHEL 7.3 is 30 November 2018.\n\nCurrent End of Life for RHEL 7.4 is 31 August 2019.\n\nCurrent End of Life for RHEL 7.5 is 30 April 2020.\n\nCurrent End of Life for RHEL 7.6 is 31 October 2020.\n\nCurrent End of Life for RHEL 7.7 is 30 August 2021.\n\nIf the release is not supported by the vendor, this is a finding.", - "fix": "Upgrade to a supported version of the operating system." + "default__deleted": "An operating system release is considered \"supported\" if the vendor\ncontinues to provide security patches for the product. With an unsupported\nrelease, it will not be possible to resolve security issues discovered in the\nsystem software.", + "rationale__deleted": "" } }, "V-71999": { + "describe__deleted": " title \"The Red Hat Enterprise Linux operating system security patches and\n updates must be installed and up to date.\"\n desc \"Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.\"\n\n desc \"check\", \"Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n # yum history list | more\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) |\n Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install |\n 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install |\n 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U |\n 84 EE\n\n If package updates have not been performed on the system within the\n timeframe that the site/program documentation requires, this is a finding.\n\n If the operating system is in non-compliance with the Information Assurance\nVulnerability Management (IAVM) process, this is a finding.\n \"\n if input('disconnected_system')\n describe \"The system is set to a `disconnected` state and you must validate \n the state of the system packages manually\" do \n skip \"The system is set to a `disconnected` state and you must validate \n the state of the system packages manually, or through another process, if you \n have an established update and patch process, please set this control as \n `Not Applicable` with a `caevat` via an overlay.\"\n end\n else\n updates = linux_update.updates\n package_names = updates.map { |h| h[\"name\"] }\n\n describe.one do\n describe \"List of out-of-date packages\" do\n subject { package_names }\n it { should be_empty }\n end\n\n updates.each do |update|\n describe package(update[\"name\"]) do\n its(\"version\") { should eq update[\"version\"] }\n end\n end\n end\n end\n end", "tags": { - "check_id": "C-72231r3_chk", - "severity": "medium", - "gid": "V-71999", - "rid": "SV-86623r4_rule", - "stig_id": "RHEL-07-020260", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78351r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72231r3_chk", + "documentable__added": false }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-71999" - ], - "title": "The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.", - "desc": "[\"Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system security patches and\n updates must be installed and up to date.", + "__new": "The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date." + }, + "desc": { + "__old": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", + "__new": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise." + }, "descs": { - "check": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1 \n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21 \n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", - "fix": "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates." + "default__deleted": "Timely patching is critical for maintaining the operational\n availability, confidentiality, and integrity of information technology (IT)\n systems. However, failure to keep operating system and application software\n patched is a common mistake made by IT professionals. New patches are released\n daily, and it is often difficult for even experienced System Administrators to\n keep abreast of all the new patches. When new weaknesses in an operating system\n exist, patches are usually made available by the vendor to resolve the\n problems. If the most recent security patches and updates are not installed,\n unauthorized users may take advantage of weaknesses in the unpatched software.\n The lack of prompt attention to patching could result in a system compromise.", + "check": { + "__old": "Verify the operating system security patches and updates are installed and\n up to date. Updates are required to be applied with a frequency determined by\n the site or Program Management Office (PMO).\n\n Obtain the list of available package security updates from Red Hat. The URL\n for updates is https://rhn.redhat.com/errata/. It is important to note that\n updates provided by Red Hat may not be present on the system if the underlying\n packages are not installed.\n\n Check that the available package security updates have been installed on\n the system with the following command:\n\n # yum history list | more\n Loaded plugins: langpacks, product-id, subscription-manager\n ID | Command line | Date and time | Action(s) |\n Altered\n\n -------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install |\n 1\n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install |\n 21\n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U |\n 84 EE\n\n If package updates have not been performed on the system within the\n timeframe that the site/program documentation requires, this is a finding.\n\n If the operating system is in non-compliance with the Information Assurance\nVulnerability Management (IAVM) process, this is a finding.", + "__new": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). \n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n# yum history list | more\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n 70 | install aide | 2016-05-05 10:58 | Install | 1 \n 69 | update -y | 2016-05-04 14:34 | Update | 18 EE\n 68 | install vlc | 2016-04-21 17:12 | Install | 21 \n 67 | update -y | 2016-04-21 17:04 | Update | 7 EE\n 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE\n\nIf package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding." + }, + "fix": { + "__old": "Install the operating system patches or updated packages\navailable from Red Hat within 30 days or sooner as local policy dictates.", + "__new": "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates." + } } }, "V-72001": { + "describe__deleted": " known_system_accounts = input('known_system_accounts')\n user_accounts = input('user_accounts')\n\n allowed_accounts = (known_system_accounts + user_accounts).uniq\n passwd.users.each do |user|\n describe user do\n it \"is listed in allowed users.\" do\n expect(subject).to(be_in allowed_accounts)\n end\n end\n end", "tags": { - "check_id": "C-72233r1_chk", - "severity": "medium", - "gid": "V-72001", - "rid": "SV-86625r2_rule", - "stig_id": "RHEL-07-020270", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78353r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72233r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72001" - ], - "title": "The Red Hat Enterprise Linux operating system must not have unnecessary accounts.", - "desc": "[\"Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have\nunnecessary accounts.", + "__new": "The Red Hat Enterprise Linux operating system must not have unnecessary accounts." + }, + "desc": { + "__old": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "__new": "Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system." + }, "descs": { - "check": "Verify all accounts on the system are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.", - "fix": "Configure the system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system." + "default__deleted": "Accounts providing no operational purpose provide additional\nopportunities for system compromise. Unnecessary accounts include user accounts\nfor individuals not requiring access to the system and application accounts for\napplications not installed on the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify all accounts on the system are assigned to an active system,\napplication, or user account.\n\n Obtain the list of authorized system accounts from the Information System\nSecurity Officer (ISSO).\n\n Check the system accounts on the system with the following command:\n\n # more /etc/passwd\n root:x:0:0:root:/root:/bin/bash\n bin:x:1:1:bin:/bin:/sbin/nologin\n daemon:x:2:2:daemon:/sbin:/sbin/nologin\n sync:x:5:0:sync:/sbin:/bin/sync\n shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n halt:x:7:0:halt:/sbin:/sbin/halt\n games:x:12:100:games:/usr/games:/sbin/nologin\n gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\n Accounts such as \"games\" and \"gopher\" are not authorized accounts as\nthey do not support authorized system functions.\n\n If the accounts on the system do not match the provided documentation, or\naccounts that do not support an authorized system function are present, this is\na finding.", + "__new": "Verify all accounts on the system are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n# more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding." + }, + "fix": { + "__old": "Configure the system so all accounts on the system are assigned to an\nactive system, application, or user account.\n\n Remove accounts that do not support approved system activities or that\nallow for a normal user to perform administrative-level actions.\n\n Document all authorized accounts on the system.", + "__new": "Configure the system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system." + } } }, "V-72003": { + "describe__deleted": " passwd.gids.each do |gid|\n describe etc_group do\n its('gids') { should include gid.to_i }\n end\n end", "tags": { - "check_id": "C-72235r1_chk", - "severity": "low", - "gid": "V-72003", - "rid": "SV-86627r2_rule", - "stig_id": "RHEL-07-020300", - "gtitle": "SRG-OS-000104-GPOS-00051", - "fix_id": "F-78355r1_fix", - "cci": [ - "CCI-000764" - ], - "nist": [ - "IA-2" - ] + "check_id__added": "C-72235r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72003" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.", - "desc": "[\"If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all Group Identifiers (GIDs) referenced in the /etc/passwd file are\ndefined in the /etc/group file.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file." + }, + "desc": { + "__old": "If a user is assigned the GID of a group not existing on the system,\nand a group with the GID is subsequently created, the user may have unintended\nrights to any files associated with the group.", + "__new": "If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group." + }, "descs": { - "check": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n\nCheck that all referenced GIDs exist with the following command:\n\n# pwck -r\n\nIf GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding.", - "fix": "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\" file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the \"/etc/passwd\" file to a group that exists in \"/etc/group\"." + "default__deleted": "If a user is assigned the GID of a group not existing on the system,\nand a group with the GID is subsequently created, the user may have unintended\nrights to any files associated with the group.", + "rationale__deleted": "", + "check": { + "__old": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the\n\"/etc/group\" file.\n\n Check that all referenced GIDs exist with the following command:\n\n # pwck -r\n\n If GIDs referenced in \"/etc/passwd\" file are returned as not defined in\n\"/etc/group\" file, this is a finding.", + "__new": "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file.\n\nCheck that all referenced GIDs exist with the following command:\n\n# pwck -r\n\nIf GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding." + }, + "fix": { + "__old": "Configure the system to define all GIDs found in the\n\"/etc/passwd\" file by modifying the \"/etc/group\" file to add any\nnon-existent group referenced in the \"/etc/passwd\" file, or change the GIDs\nreferenced in the \"/etc/passwd\" file to a group that exists in\n\"/etc/group\".", + "__new": "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\" file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the \"/etc/passwd\" file to a group that exists in \"/etc/group\"." + } } }, "V-72005": { + "describe__deleted": " describe passwd.uids(0) do\n its('users') { should cmp 'root' }\n its('entries.length') { should eq 1 }\n end", "tags": { - "check_id": "C-72237r1_chk", - "severity": "high", - "gid": "V-72005", - "rid": "SV-86629r2_rule", - "stig_id": "RHEL-07-020310", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78357r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72237r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72005" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.", - "desc": "[\"If an account other than root also has a User Identifier (UID) of \\\"0\\\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \\\"0\\\" afford an opportunity for potential intruders to guess a password for a privileged account.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the root account must be the only account having unrestricted access to\nthe system.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system." + }, + "desc": { + "__old": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "__new": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account." + }, "descs": { - "check": "Check the system for duplicate UID \"0\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nIf any accounts other than root have a UID of \"0\", this is a finding.", - "fix": "Change the UID of any account on the system, other than root, that has a UID of \"0\". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than \"0\" but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned." + "default__deleted": "If an account other than root also has a User Identifier (UID) of\n\"0\", it has root authority, giving that account unrestricted access to the\nentire operating system. Multiple accounts with a UID of \"0\" afford an\nopportunity for potential intruders to guess a password for a privileged\naccount.", + "rationale__deleted": "", + "check": { + "__old": "Check the system for duplicate UID \"0\" assignments with the following\ncommand:\n\n # awk -F: '$3 == 0 {print $1}' /etc/passwd\n\n If any accounts other than root have a UID of \"0\", this is a finding.", + "__new": "Check the system for duplicate UID \"0\" assignments with the following command:\n\n# awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nIf any accounts other than root have a UID of \"0\", this is a finding." + }, + "fix": { + "__old": "Change the UID of any account on the system, other than root, that has a\nUID of \"0\".\n\n If the account is associated with system commands or applications, the UID\nshould be changed to one greater than \"0\" but less than \"1000\". Otherwise,\nassign a UID of greater than \"1000\" that has not already been assigned.", + "__new": "Change the UID of any account on the system, other than root, that has a UID of \"0\". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than \"0\" but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned." + } } }, "V-72007": { + "describe__deleted": " command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'').\n stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nouser\") do\n its('stdout.strip') { should be_empty }\n end\n end", "tags": { - "check_id": "C-72239r2_chk", - "severity": "medium", - "gid": "V-72007", - "rid": "SV-86631r3_rule", - "stig_id": "RHEL-07-020320", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78359r1_fix", - "cci": [ - "CCI-002165" - ], - "nist": [ - "AC-3 (4)" - ] + "check_id__added": "C-72239r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72007" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.", - "desc": "[\"Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier \\\"UID\\\" as the UID of the un-owned files.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all files and directories have a valid owner.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." + }, + "desc": { + "__old": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "__new": "Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier \"UID\" as the UID of the un-owned files." + }, "descs": { - "check": "Verify all files and directories on the system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the \"chown\" command:\n\n# chown " + "default__deleted": "Unowned files and directories may be unintentionally inherited if a\nuser is assigned the same User Identifier \"UID\" as the UID of the un-owned\nfiles.", + "rationale__deleted": "", + "check": { + "__old": "Verify all files and directories on the system have a valid owner.\n\n Check the owner of all files and directories with the following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n # find / -fstype xfs -nouser\n\n If any files on the system do not have an assigned owner, this is a finding.", + "__new": "Verify all files and directories on the system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding." + }, + "fix": { + "__old": "Either remove all files and directories from the system that do not have a\nvalid user, or assign a valid user to all unowned files and directories on the\nsystem with the \"chown\" command:\n\n # chown ", + "__new": "Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the \"chown\" command:\n\n# chown " + } } }, "V-72009": { + "describe__deleted": " command('grep -v \"nodev\" /proc/filesystems | awk \\'NF{ print $NF }\\'').\n stdout.strip.split(\"\\n\").each do |fs|\n describe command(\"find / -xdev -xautofs -fstype #{fs} -nogroup\") do\n its('stdout.strip') { should be_empty }\n end\n end", "tags": { - "check_id": "C-72241r3_chk", - "severity": "medium", - "gid": "V-72009", - "rid": "SV-86633r3_rule", - "stig_id": "RHEL-07-020330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78361r1_fix", - "cci": [ - "CCI-002165" - ], - "nist": [ - "AC-3 (4)" - ] + "check_id__added": "C-72241r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72009" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.", - "desc": "[\"Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all files and directories have a valid group owner.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." + }, + "desc": { + "__old": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "__new": "Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner." + }, "descs": { - "check": "Verify all files and directories on the system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.", - "fix": "Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the \"chgrp\" command:\n\n# chgrp " + "default__deleted": "Files without a valid group owner may be unintentionally inherited if\na group is assigned the same Group Identifier (GID) as the GID of the files\nwithout a valid group owner.", + "rationale__deleted": "", + "check": { + "__old": "Verify all files and directories on the system have a valid group.\n\n Check the owner of all files and directories with the following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n # find / -fstype xfs -nogroup\n\n If any files on the system do not have an assigned group, this is a finding.", + "__new": "Verify all files and directories on the system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -fstype xfs -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding." + }, + "fix": { + "__old": "Either remove all files and directories from the system that do not have a\nvalid group, or assign a valid group to all files and directories on the system\nwith the \"chgrp\" command:\n\n # chgrp ", + "__new": "Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the \"chgrp\" command:\n\n# chgrp " + } } }, "V-72011": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n describe directory(user_info.home) do\n it { should exist }\n end\n end", "tags": { - "check_id": "C-72243r1_chk", - "severity": "medium", - "gid": "V-72011", - "rid": "SV-86635r2_rule", - "stig_id": "RHEL-07-020600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78363r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72243r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72011" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file.", - "desc": "[\"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive users have a home directory assigned in the\n/etc/passwd file.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." + }, + "desc": { + "__old": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "__new": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own." + }, "descs": { - "check": "Verify local interactive users on the system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n# pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'smithj': directory '/home/smithj' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n# cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\nIf any interactive users do not have a home directory assigned, this is a finding.", - "fix": "Assign home directories to all local interactive users that currently do not have a home directory assigned." + "default__deleted": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "rationale__deleted": "", + "check": { + "__old": "Verify local interactive users on the system have a home directory assigned.\n\n Check for missing local interactive user home directories with the\nfollowing command:\n\n # pwck -r\n user 'lp': directory '/var/spool/lpd' does not exist\n user 'news': directory '/var/spool/news' does not exist\n user 'uucp': directory '/var/spool/uucp' does not exist\n user 'smithj': directory '/home/smithj' does not exist\n\n Ask the System Administrator (SA) if any users found without home\ndirectories are local interactive users. If the SA is unable to provide a\nresponse, check for users with a User Identifier (UID) of 1000 or greater with\nthe following command:\n\n # cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\n If any interactive users do not have a home directory assigned, this is a\nfinding.", + "__new": "Verify local interactive users on the system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n# pwck -r\nuser 'lp': directory '/var/spool/lpd' does not exist\nuser 'news': directory '/var/spool/news' does not exist\nuser 'uucp': directory '/var/spool/uucp' does not exist\nuser 'smithj': directory '/home/smithj' does not exist\n\nAsk the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n# cut -d: -f 1,3 /etc/passwd | egrep \":[1-4][0-9]{2}$|:[0-9]{1,2}$\"\n\nIf any interactive users do not have a home directory assigned, this is a finding." + }, + "fix": { + "__old": "Assign home directories to all local interactive users that\ncurrently do not have a home directory assigned.", + "__new": "Assign home directories to all local interactive users that currently do not have a home directory assigned." + } } }, "V-72013": { + "describe__deleted": " describe login_defs do\n its('CREATE_HOME') { should eq 'yes' }\n end", "tags": { - "check_id": "C-72245r1_chk", - "severity": "medium", - "gid": "V-72013", - "rid": "SV-86637r2_rule", - "stig_id": "RHEL-07-020610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78365r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72245r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72013" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.", - "desc": "[\"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user accounts, upon creation, are assigned a home\ndirectory.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory." + }, + "desc": { + "__old": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "__new": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own." + }, "descs": { - "check": "Verify all local interactive users on the system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to assign home directories to all new local interactive users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes" + "default__deleted": "If local interactive users are not assigned a valid home directory,\nthere is no place for the storage and control of files they should own.", + "rationale__deleted": "", + "check": { + "__old": "Verify all local interactive users on the system are assigned a home\ndirectory upon creation.\n\n Check to see if the system is configured to create home directories for\nlocal interactive users with the following command:\n\n # grep -i create_home /etc/login.defs\n CREATE_HOME yes\n\n If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line\nis missing, or the line is commented out, this is a finding.", + "__new": "Verify all local interactive users on the system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n# grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to assign home directories to all new local\ninteractive users by setting the \"CREATE_HOME\" parameter in\n\"/etc/login.defs\" to \"yes\" as follows.\n\n CREATE_HOME yes", + "__new": "Configure the operating system to assign home directories to all new local interactive users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes" + } } }, "V-72015": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n describe directory(user_info.home) do\n it { should exist }\n end\n end", "tags": { - "check_id": "C-72247r2_chk", - "severity": "medium", - "gid": "V-72015", - "rid": "SV-86639r2_rule", - "stig_id": "RHEL-07-020620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78367r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72247r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72015" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file.", - "desc": "[\"If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user home directories are defined in the /etc/passwd\nfile.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file." + }, + "desc": { + "__old": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", + "__new": "If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access." + }, "descs": { - "check": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive non-privileged users on the system with the following command:\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n\nsmithj:1001:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not defined, this is a finding.", - "fix": "Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n\n# mkdir /home/smithj \n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj" + "default__deleted": "If a local interactive user has a home directory defined that does not\nexist, the user may be given access to the / directory as the current working\ndirectory upon logon. This could create a Denial of Service because the user\nwould not be able to access their logon configuration files, and it may give\nthem visibility to system files they normally would not be able to access.", + "rationale__deleted": "", + "check": { + "__old": "Verify the assigned home directory of all local interactive users on the\nsystem exists.\n\n Check the home directory assignment for all local interactive\nnon-privileged users on the system with the following command:\n\n # cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n\n smithj:1001:/home/smithj\n\n Note: This may miss interactive users that have been assigned a privileged\nUID. Evidence of interactive use may be obtained from a number of log files\ncontaining system logon information.\n\n Check that all referenced home directories exist with the following command:\n\n # pwck -r\n user 'smithj': directory '/home/smithj' does not exist\n\n If any home directories referenced in \"/etc/passwd\" are returned as not\ndefined, this is a finding.", + "__new": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive non-privileged users on the system with the following command:\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n\nsmithj:1001:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n# pwck -r\nuser 'smithj': directory '/home/smithj' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not defined, this is a finding." + }, + "fix": { + "__old": "Create home directories to all local interactive users that currently do\nnot have a home directory assigned. Use the following commands to create the\nuser home directory assigned in \"/etc/ passwd\":\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of\n\"users\" assigned in \"/etc/passwd\".\n\n # mkdir /home/smithj\n # chown smithj /home/smithj\n # chgrp users /home/smithj\n # chmod 0750 /home/smithj", + "__new": "Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", a UID of \"smithj\", and a Group Identifier (GID) of \"users\" assigned in \"/etc/passwd\".\n\n# mkdir /home/smithj \n# chown smithj /home/smithj\n# chgrp users /home/smithj\n# chmod 0750 /home/smithj" + } } }, "V-72017": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n findings = findings + command(\"find #{user_info.home} -maxdepth 0 -perm /027\").stdout.split(\"\\n\")\n end\n describe \"Home directories with excessive permissions\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72249r2_chk", - "severity": "medium", - "gid": "V-72017", - "rid": "SV-86641r3_rule", - "stig_id": "RHEL-07-020630", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78369r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72249r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72017" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.", - "desc": "[\"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user home directories have mode 0750 or less\npermissive.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive." + }, + "desc": { + "__old": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "__new": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users." + }, "descs": { - "check": "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.", - "fix": "Change the mode of interactive user's home directories to \"0750\". To change the mode of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\".\n\n# chmod 0750 /home/smithj" + "default__deleted": "Excessive permissions on local interactive user home directories may\nallow unauthorized access to user files by other users.", + "rationale__deleted": "", + "check": { + "__old": "Verify the assigned home directory of all local interactive users has a\nmode of \"0750\" or less permissive.\n\n Check the home directory assignment for all non-privileged users on the\nsystem with the following command:\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n # ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\n If home directories referenced in \"/etc/passwd\" do not have a mode of\n\"0750\" or less permissive, this is a finding.", + "__new": "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding." + }, + "fix": { + "__old": "Change the mode of interactive user's home directories to \"0750\". To\nchange the mode of a local interactive user's home directory, use the following\ncommand:\n\n Note: The example will be for the user \"smithj\".\n\n # chmod 0750 /home/smithj", + "__new": "Change the mode of interactive user's home directories to \"0750\". To change the mode of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\".\n\n# chmod 0750 /home/smithj" + } } }, "V-72019": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n describe directory(user_info.home) do\n it { should exist }\n its('owner') { should eq user_info.username }\n end\n end", "tags": { - "check_id": "C-72251r6_chk", - "severity": "medium", - "gid": "V-72019", - "rid": "SV-86643r5_rule", - "stig_id": "RHEL-07-020640", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78371r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72251r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72019" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.", - "desc": "[\"If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user home directories are owned by their respective\nusers.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users." + }, + "desc": { + "__old": "If a local interactive user does not own their home directory,\nunauthorized users could access or modify the user's files, and the users may\nnot be able to access their own files.", + "__new": "If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files." + }, "descs": { - "check": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding.", - "fix": "Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj" + "default__deleted": "If a local interactive user does not own their home directory,\nunauthorized users could access or modify the user's files, and the users may\nnot be able to access their own files.", + "rationale__deleted": "", + "check": { + "__old": "Verify the assigned home directory of all local interactive users on the\nsystem exists.\n\n Check the home directory assignment for all local interactive users on the\nsystem with the following command:\n\n # ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\n If any home directories referenced in \"/etc/passwd\" are not owned by the\ninteractive user, this is a finding.", + "__new": "Verify the assigned home directory of all local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nIf any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding." + }, + "fix": { + "__old": "Change the owner of a local interactive user's home directories to that\nowner. To change the owner of a local interactive user's home directory, use\nthe following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj", + "__new": "Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj" + } } }, "V-72021": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n findings = findings + command(\"find #{user_info.home} -maxdepth 0 -not -gid #{user_info.gid}\").stdout.split(\"\\n\")\n end\n describe \"Home directories that are not group-owned by the user's primary GID\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72253r8_chk", - "severity": "medium", - "gid": "V-72021", - "rid": "SV-86645r5_rule", - "stig_id": "RHEL-07-020650", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78373r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72253r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72021" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.", - "desc": "[\"If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user home directories are group-owned by the home\ndirectory owners primary group.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group." + }, + "desc": { + "__old": "If the Group Identifier (GID) of a local interactive user's home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user's files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "__new": "If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should." + }, "descs": { - "check": "Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nCheck the user's primary group with the following command:\n\n# grep users /etc/group\n\nusers:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user's home directory to the group found in \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj" + "default__deleted": "If the Group Identifier (GID) of a local interactive user's home\ndirectory is not the same as the primary GID of the user, this would allow\nunauthorized access to the user's files, and users that share the same group\nmay not be able to access files that they legitimately should.", + "rationale__deleted": "", + "check": { + "__old": "Verify the assigned home directory of all local interactive users is\ngroup-owned by that user's primary GID.\n\n Check the home directory assignment for all local interactive users on the\nsystem with the following command:\n\n # ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\n Check the user's primary group with the following command:\n\n # grep users /etc/group\n\n users:x:250:smithj,jonesj,jacksons\n\n If the user home directory referenced in \"/etc/passwd\" is not group-owned\nby that user's primary GID, this is a finding.", + "__new": "Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all local interactive users on the system with the following command:\n\n# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)\n\n-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj\n\nCheck the user's primary group with the following command:\n\n# grep users /etc/group\n\nusers:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding." + }, + "fix": { + "__old": "Change the group owner of a local interactive user's home directory to the\ngroup found in \"/etc/passwd\". To change the group owner of a local\ninteractive user's home directory, use the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\", and has a primary group of users.\n\n # chgrp users /home/smithj", + "__new": "Change the group owner of a local interactive user's home directory to the group found in \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj" + } } }, "V-72023": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n findings = findings + command(\"find #{user_info.home} -xdev -xautofs -not -user #{user_info.username}\").stdout.split(\"\\n\")\n end\n describe \"Files and directories that are not owned by the user\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72255r3_chk", - "severity": "medium", - "gid": "V-72023", - "rid": "SV-86647r2_rule", - "stig_id": "RHEL-07-020660", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78375r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72255r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72023" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.", - "desc": "[\"If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all files and directories contained in local interactive user home\ndirectories are owned by the owner of the home directory.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." + }, + "desc": { + "__old": "If local interactive users do not own the files in their directories,\nunauthorized users may be able to access them. Additionally, if files are not\nowned by the user, this could be an indication of system compromise.", + "__new": "If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise." + }, "descs": { - "check": "Verify all files and directories in a local interactive user's home directory are owned by the user.\n\nCheck the owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the home directory user, this is a finding.", - "fix": "Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/" + "default__deleted": "If local interactive users do not own the files in their directories,\nunauthorized users may be able to access them. Additionally, if files are not\nowned by the user, this could be an indication of system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify all files and directories in a local interactive user's home\ndirectory are owned by the user.\n\n Check the owner of all files and directories in a local interactive user's\nhome directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n # ls -lLR /home/smithj\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files are found with an owner different than the home directory\nuser, this is a finding.", + "__new": "Verify all files and directories in a local interactive user's home directory are owned by the user.\n\nCheck the owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the home directory user, this is a finding." + }, + "fix": { + "__old": "Change the owner of a local interactive user's files and directories to\nthat owner. To change the owner of a local interactive user's files and\ndirectories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/", + "__new": "Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/" + } } }, "V-72025": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n find_args = \"\"\n user_info.groups.each { |curr_group|\n # some key files and secure dirs (like .ssh) are group owned 'root'\n find_args = find_args + \"-not -group #{curr_group} -o root\"\n }\n findings = findings + command(\"find #{user_info.home} -xdev -xautofs #{find_args}\").stdout.split(\"\\n\")\n end\n describe \"Home directory files with incorrect group ownership or not 'root' owned\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72257r3_chk", - "severity": "medium", - "gid": "V-72025", - "rid": "SV-86649r2_rule", - "stig_id": "RHEL-07-020670", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78377r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72257r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72025" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.", - "desc": "[\"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all files and directories contained in local interactive user home\ndirectories are group-owned by a group of which the home directory owner is a\nmember.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." + }, + "desc": { + "__old": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", + "__new": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them." + }, "descs": { - "check": "Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:\n\n# grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.", - "fix": "Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chgrp users /home/smithj/" + "default__deleted": "If a local interactive user's files are group-owned by a group of\nwhich the user is not a member, unintended users may be able to access them.", + "rationale__deleted": "", + "check": { + "__old": "Verify all files and directories in a local interactive user home directory\nare group-owned by a group the user is a member of.\n\n Check the group owner of all files and directories in a local interactive\nuser's home directory with the following command:\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n # ls -lLR ///\n -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\n If any files are found with an owner different than the group home\ndirectory user, check to see if the user is a member of that group with the\nfollowing command:\n\n # grep smithj /etc/group\n sa:x:100:juan,shelley,bob,smithj\n smithj:x:521:smithj\n\n If the user is not a member of a group that group owns file(s) in a local\ninteractive user's home directory, this is a finding.", + "__new": "Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:\n\n# grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding." + }, + "fix": { + "__old": "Change the group of a local interactive user's files and directories to a\ngroup that the interactive user is a member of. To change the group owner of a\nlocal interactive user's files and directories, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chgrp users /home/smithj/", + "__new": "Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chgrp users /home/smithj/" + } } }, "V-72027": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n findings = findings + command(\"find #{user_info.home} -xdev ! -name '.*' -perm /027 ! -type l\").stdout.split(\"\\n\")\n end\n describe \"Home directories with excessive permissions\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72259r1_chk", - "severity": "medium", - "gid": "V-72027", - "rid": "SV-86651r2_rule", - "stig_id": "RHEL-07-020680", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78379r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72259r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72027" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.", - "desc": "[\"If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all files and directories contained in local interactive user home\ndirectories have a mode of 0750 or less permissive.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." + }, + "desc": { + "__old": "If a local interactive user files have excessive permissions,\nunintended users may be able to access or modify them.", + "__new": "If a local interactive user files have excessive permissions, unintended users may be able to access or modify them." + }, "descs": { - "check": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\n\nCheck the mode of all non-initialization files in a local interactive user home directory with the following command:\n\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with a mode more permissive than \"0750\", this is a finding.", - "fix": "Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chmod 0750 /home/smithj/" + "default__deleted": "If a local interactive user files have excessive permissions,\nunintended users may be able to access or modify them.", + "rationale__deleted": "", + "check": { + "__old": "Verify all files and directories contained in a local interactive user home\ndirectory, excluding local initialization files, have a mode of \"0750\".\n\n Check the mode of all non-initialization files in a local interactive user\nhome directory with the following command:\n\n Files that begin with a \".\" are excluded from this requirement.\n\n Note: The example will be for the user \"smithj\", who has a home directory\nof \"/home/smithj\".\n\n # ls -lLR /home/smithj\n -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\n If any files are found with a mode more permissive than \"0750\", this is a\nfinding.", + "__new": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\n\nCheck the mode of all non-initialization files in a local interactive user home directory with the following command:\n\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n# ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files are found with a mode more permissive than \"0750\", this is a finding." + }, + "fix": { + "__old": "Set the mode on files and directories in the local interactive user home\ndirectory with the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\" and is a member of the users group.\n\n # chmod 0750 /home/smithj/", + "__new": "Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n# chmod 0750 /home/smithj/" + } } }, "V-72029": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n findings = findings + command(\"find #{user_info.home} -name '.*' -not -user #{user_info.username} -a -not -user root\").stdout.split(\"\\n\")\n end\n describe \"Files and Directories not owned by the user or root of the parent home directory\" do\n subject { findings.to_a }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72261r6_chk", - "severity": "medium", - "gid": "V-72029", - "rid": "SV-86653r4_rule", - "stig_id": "RHEL-07-020690", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78381r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72261r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-86653r3_rule", + "__new": "SV-86653r4_rule" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72029" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.", - "desc": "[\"Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local initialization files for interactive users are owned by the home\ndirectory user or root.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." + }, + "desc": { + "__old": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "__new": "Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon." + }, "descs": { - "check": "Verify the local initialization files of all local interactive users are owned by that user.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not owned by that user or root, this is a finding.", - "fix": "Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/.[^.]*" + "default__deleted": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "rationale__deleted": "", + "check": { + "__old": "Verify the local initialization files of all local interactive users are\ngroup-owned by that user's primary Group Identifier (GID).\n\n Check the home directory assignment for all non-privileged users on the\nsystem with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\" and a primary group of \"users\".\n\n # cut -d: -f 1,4,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n smithj:1000:/home/smithj\n\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n Check the group owner of all local interactive user's initialization files\nwith the following command:\n\n # ls -al /home/smithj/.[^.]* | more\n\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\n If all local interactive user's initialization files are not group-owned by\nthat user's primary GID, this is a finding.", + "__new": "Verify the local initialization files of all local interactive users are owned by that user.\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not owned by that user or root, this is a finding." + }, + "fix": { + "__old": "Set the owner of the local initialization files for interactive users to\neither the directory owner or root with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\".\n\n # chown smithj /home/smithj/.[^.]*", + "__new": "Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\".\n\n# chown smithj /home/smithj/.[^.]*" + } } }, "V-72031": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries.each do |user_info|\n findings = findings + command(\"find #{user_info.home} -name '.*' -not -gid #{user_info.gid} -not -group root\").stdout.split(\"\\n\")\n end\n describe findings do\n its('length') { should == 0 }\n end", "tags": { - "check_id": "C-72263r7_chk", - "severity": "medium", - "gid": "V-72031", - "rid": "SV-86655r4_rule", - "stig_id": "RHEL-07-020700", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78383r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72263r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72031" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.", - "desc": "[\"Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local initialization files for local interactive users are be\ngroup-owned by the users primary group or root.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." + }, + "desc": { + "__old": "Local initialization files for interactive users are used to configure\nthe user's shell environment upon logon. Malicious modification of these files\ncould compromise accounts upon logon.", + "__new": "Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon." + }, "descs": { - "check": "Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of \"users\".\n\n# cut -d: -f 1,4,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\n# grep 1000 /etc/group\nusers:x:1000:smithj,jonesj,jacksons \n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the group owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.", - "fix": "Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the user. To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj/.[^.]*" + "default__deleted": "Local initialization files for interactive users are used to configure\nthe user's shell environment upon logon. Malicious modification of these files\ncould compromise accounts upon logon.", + "rationale__deleted": "", + "check": { + "__old": "Verify the local initialization files of all local interactive users are\ngroup-owned by that user's primary Group Identifier (GID).\n\n Check the home directory assignment for all non-privileged users on the\nsystem with the following command:\n\n Note: The example will be for the smithj user, who has a home directory of\n\"/home/smithj\" and a primary group of \"users\".\n\n # cut -d: -f 1,4,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n smithj:1000:/home/smithj\n\n # grep 1000 /etc/group\n users:x:1000:smithj,jonesj,jacksons\n\n Note: This may miss interactive users that have been assigned a privileged\nUser Identifier (UID). Evidence of interactive use may be obtained from a\nnumber of log files containing system logon information.\n\n Check the group owner of all local interactive user's initialization files\nwith the following command:\n\n # ls -al /home/smithj/.[^.]* | more\n\n -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\n If all local interactive user's initialization files are not group-owned by\nthat user's primary GID, this is a finding.", + "__new": "Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).\n\nCheck the home directory assignment for all non-privileged users on the system with the following command:\n\nNote: The example will be for the smithj user, who has a home directory of \"/home/smithj\" and a primary group of \"users\".\n\n# cut -d: -f 1,4,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1000:/home/smithj\n\n# grep 1000 /etc/group\nusers:x:1000:smithj,jonesj,jacksons \n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck the group owner of all local interactive user's initialization files with the following command:\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something\n\nIf all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding." + }, + "fix": { + "__old": "Change the group owner of a local interactive user's files to the group\nfound in \"/etc/passwd\" for the user. To change the group owner of a local\ninteractive user's home directory, use the following command:\n\n Note: The example will be for the user smithj, who has a home directory of\n\"/home/smithj\", and has a primary group of users.\n\n # chgrp users /home/smithj/.[^.]*", + "__new": "Change the group owner of a local interactive user's files to the group found in \"/etc/passwd\" for the user. To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\", and has a primary group of users.\n\n# chgrp users /home/smithj/.[^.]*" + } } }, "V-72033": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries.each do |user_info|\n findings = findings + command(\"find #{user_info.home} -xdev -maxdepth 1 -name '.*' -type f -perm /037\").stdout.split(\"\\n\")\n end\n describe findings do\n it { should be_empty }\n end", "tags": { - "check_id": "C-72265r4_chk", - "severity": "medium", - "gid": "V-72033", - "rid": "SV-86657r3_rule", - "stig_id": "RHEL-07-020710", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78385r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72265r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72033" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.", - "desc": "[\"Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local initialization files have mode 0740 or less permissive.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive." + }, + "desc": { + "__old": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "__new": "Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon." + }, "descs": { - "check": "Verify that all local initialization files have a mode of \"0740\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n-rwxr----- 1 smithj users 497 Jan 6 2007 .login\n-rwxr----- 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.", - "fix": "Set the mode of the local initialization files to \"0740\" with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# chmod 0740 /home/smithj/.[^.]*" + "default__deleted": "Local initialization files are used to configure the user's shell\nenvironment upon logon. Malicious modification of these files could compromise\naccounts upon logon.", + "rationale__deleted": "", + "check": { + "__old": "Verify that all local initialization files have a mode of \"0740\" or less\npermissive.\n\n Check the mode on all local initialization files with the following command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # ls -al /home/smithj/.[^.]* | more\n\n -rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n -rwxr----- 1 smithj users 497 Jan 6 2007 .login\n -rwxr----- 1 smithj users 886 Jan 6 2007 .something\n\n If any local initialization files have a mode more permissive than\n\"0740\", this is a finding.", + "__new": "Verify that all local initialization files have a mode of \"0740\" or less permissive.\n\nCheck the mode on all local initialization files with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# ls -al /home/smithj/.[^.]* | more\n\n-rwxr----- 1 smithj users 896 Mar 10 2011 .profile\n-rwxr----- 1 smithj users 497 Jan 6 2007 .login\n-rwxr----- 1 smithj users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding." + }, + "fix": { + "__old": "Set the mode of the local initialization files to \"0740\" with the\nfollowing command:\n\n Note: The example will be for the \"smithj\" user, who has a home directory\nof \"/home/smithj\".\n\n # chmod 0740 /home/smithj/.[^.]*", + "__new": "Set the mode of the local initialization files to \"0740\" with the following command:\n\nNote: The example will be for the \"smithj\" user, who has a home directory of \"/home/smithj\".\n\n# chmod 0740 /home/smithj/.[^.]*" + } } }, "V-72035": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n findings = Set[]\n users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n grep_results = command(\"grep -i path --exclude=\\\".bash_history\\\" #{user_info.home}/.*\").stdout.split(\"\\\\n\")\n grep_results.each do |result|\n result.slice! \"PATH=\"\n # Case when last value in exec search path is :\n if result[-1] == \":\" then\n result = result + \" \"\n end\n result.slice! \"$PATH:\"\n result.gsub! '$HOME', \"#{user_info.home}\"\n result.gsub! '~', \"#{user_info.home}\"\n line_arr = result.split(\":\")\n line_arr.delete_at(0)\n line_arr.each do |line|\n # Don't run test on line that exports PATH and is not commented out\n if !line.start_with?('export') && !line.start_with?('#') then\n # Case when :: found in exec search path or : found at beginning\n if line.strip.empty? then\n curr_work_dir = command(\"pwd\").stdout.gsub(\"\\n\", \"\")\n if curr_work_dir.start_with?(\"#{user_info.home}\") then\n line = curr_work_dir\n end\n end\n # This will fail if non-home directory found in path\n if !line.start_with?(user_info.home)\n findings.add(line)\n end\n end\n end\n end\n end\n describe.one do\n describe etc_fstab do\n its('home_mount_options') { should include 'nosuid' }\n end\n describe \"Initialization files that include executable search paths that include directories outside their home directories\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end", "tags": { - "check_id": "C-72267r5_chk", - "severity": "medium", - "gid": "V-72035", - "rid": "SV-86659r4_rule", - "stig_id": "RHEL-07-020720", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78387r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72267r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72035" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.", - "desc": "[\"The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all local interactive user initialization files executable search paths\ncontain only paths that resolve to the users home directory.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." + }, + "desc": { + "__old": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", + "__new": "The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO)." + }, "descs": { - "check": "Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.\n\nCheck the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.", - "fix": "Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. \n\nIf a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO." + "default__deleted": "The executable search path (typically the PATH environment variable)\ncontains a list of directories for the shell to search to find executables. If\nthis path includes the current working directory (other than the user's home\ndirectory), executables in these directories may be executed instead of system\ncommands. This variable is formatted as a colon-separated list of directories.\nIf there is an empty entry, such as a leading or trailing colon or two\nconsecutive colons, this is interpreted as the current working directory. If\ndeviations from the default system search path for the local interactive user\nare required, they must be documented with the Information System Security\nOfficer (ISSO).", + "rationale__deleted": "", + "check": { + "__old": "Verify that all local interactive user initialization files' executable\nsearch path statements do not contain statements that will reference a working\ndirectory other than the users' home directory.\n\n Check the executable search path statement for all local interactive user\ninitialization files in the users' home directory with the following commands:\n\n Note: The example will be for the smithj user, which has a home directory\nof \"/home/smithj\".\n\n # grep -i path /home/smithj/.*\n /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n /home/smithj/.bash_profile:export PATH\n\n If any local interactive user initialization files have executable search\npath statements that include directories outside of their home directory, this\nis a finding.", + "__new": "Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.\n\nCheck the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands:\n\nNote: The example will be for the smithj user, which has a home directory of \"/home/smithj\".\n\n# grep -i path /home/smithj/.*\n/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n/home/smithj/.bash_profile:export PATH\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding." + }, + "fix": { + "__old": "Edit the local interactive user initialization files to change any PATH\nvariable statements that reference directories other than their home directory.\n\n If a local interactive user requires path variables to reference a\ndirectory owned by the application, it must be documented with the ISSO.", + "__new": "Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. \n\nIf a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO." + } } }, "V-72037": { + "describe__deleted": " if input('disable_slow_controls')\n desc \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\"\n else\n end\n exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n if input('disable_slow_controls')\n describe \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute.\" do\n skip \"This control consistently takes a long to run and has been disabled\n using the disable_slow_controls attribute. You must enable this control for a\n full accredidation for production.\"\n end\n else\n ignore_shells = non_interactive_shells.join('|')\n\n #Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n dotfiles = Set[]\n u = users.where{ !shell.match(ignore_shells) && (uid >= 1000 || uid == 0)}.entries\n #For each user, build and execute a find command that identifies initialization files\n #in a user's home directory.\n u.each do |user|\n dotfiles = dotfiles + command(\"find #{user.home} -xdev -maxdepth 2 ( -name '.*' ! -name '.bash_history' ) -type f\").stdout.split(\"\\n\")\n end\n ww_files = Set[]\n ww_files = command('find / -xdev -perm -002 -type f -exec ls {} \\;').stdout.lines\n\n #To reduce the number of commands ran, we use a pattern file in the grep command below\n #So we don't have too long of a grep command, we chunk the list of ww_files\n #into strings not longer than PATTERN_FILE_MAX_LENGTH\n #Based on MAX_ARG_STRLEN, /usr/include/linux/binfmts.h\n #We cut off 100 to leave room for the rest of the arguments\n PATTERN_FILE_MAX_LENGTH=command(\"getconf PAGE_SIZE\").stdout.to_i * 32 - 100\n ww_chunked=[\"\"]\n ww_files.each do |item|\n item = item.strip\n if item.length + \"\\n\".length > PATTERN_FILE_MAX_LENGTH\n raise \"Single pattern is longer than PATTERN_FILE_MAX_LENGTH\"\n end\n if ww_chunked[-1].length + \"\\n\".length + item.length > PATTERN_FILE_MAX_LENGTH\n ww_chunked.append(\"\")\n end\n ww_chunked[-1] += \"\\n\" + item # This will leave an extra newline at the beginning of chunks\n end\n ww_chunked = ww_chunked.map(&:strip) # This gets rid of the beginning newlines\n if ww_chunked[0] == \"\"\n ww_chunked = [] # If we didn't have any ww_files, this will prevent an empty grep pattern\n end\n\n #Check each dotfile for existence of each world-writeable file\n findings = Set[]\n dotfiles.each do |dotfile|\n dotfile = dotfile.strip\n ww_chunked.each do |ww_pattern_file|\n count = command(\"grep -c -f <(echo \\\"#{ww_pattern_file}\\\") \\\"#{dotfile}\\\"\").stdout.strip.to_i\n findings << dotfile if count > 0\n end\n end\n describe \"Local initialization files that are found to reference world-writable files\" do\n subject { findings.to_a }\n it { should be_empty }\n end\n end", "tags": { - "check_id": "C-72269r2_chk", - "severity": "medium", - "gid": "V-72037", - "rid": "SV-86661r2_rule", - "stig_id": "RHEL-07-020730", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78389r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72269r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72037" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.", - "desc": "[\"If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat local initialization files do not execute world-writable programs.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." + }, + "desc": { + "__old": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "__new": "If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level." + }, "descs": { - "check": "Verify that local initialization files do not execute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization files with the following commands:\n\nNote: The example will be for a system that is configured to create users' home directories in the \"/home\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files, this is a finding.", - "fix": "Set the mode on files being executed by the local initialization files with the following command:\n\n# chmod 0755 " + "default__deleted": "If user start-up files execute world-writable programs, especially in\nunprotected directories, they could be maliciously modified to destroy user\nfiles or otherwise compromise the system at the user level. If the system is\ncompromised at the user level, it is easier to elevate privileges to eventually\ncompromise the system at the root and network level.", + "rationale__deleted": "", + "check": { + "__old": "Verify that local initialization files do not execute world-writable\nprograms.\n\n Check the system for world-writable files with the following command:\n\n # find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n\n For all files listed, check for their presence in the local initialization\nfiles with the following commands:\n\n Note: The example will be for a system that is configured to create users'\nhome directories in the \"/home\" directory.\n\n # grep /home/*/.*\n\n If any local initialization files are found to reference world-writable\nfiles, this is a finding.", + "__new": "Verify that local initialization files do not execute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n# find / -xdev -perm -002 -type f -exec ls -ld {} \\; | more\n\nFor all files listed, check for their presence in the local initialization files with the following commands:\n\nNote: The example will be for a system that is configured to create users' home directories in the \"/home\" directory.\n\n# grep /home/*/.*\n\nIf any local initialization files are found to reference world-writable files, this is a finding." + }, + "fix": { + "__old": "Set the mode on files being executed by the local initialization files with\nthe following command:\n\n # chmod 0755 ", + "__new": "Set the mode on files being executed by the local initialization files with the following command:\n\n# chmod 0755 " + } } }, "V-72039": { + "describe__deleted": " virtual_machine = input('virtual_machine')\n\n findings = Set[]\n findings = findings + command('find / -xdev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings = findings + command('find / -xdev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n findings = findings + command('find / -xdev -context *:vmci_device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"').stdout.split(\"\\n\")\n\n describe findings do\n if virtual_machine\n its ('length') { should cmp 1 }\n its ('first') { should include '/dev/vmci' }\n else\n its ('length') { should cmp 0 }\n end\n end", "tags": { - "check_id": "C-72271r1_chk", - "severity": "medium", - "gid": "V-72039", - "rid": "SV-86663r2_rule", - "stig_id": "RHEL-07-020900", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78391r1_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72271r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72039" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.", - "desc": "[\"If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all system device files are correctly labeled to prevent unauthorized\nmodification.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." + }, + "desc": { + "__old": "If an unauthorized or modified device is allowed to exist on the\nsystem, there is the possibility the system may perform unintended or\nunauthorized operations.", + "__new": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations." + }, "descs": { - "check": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.", - "fix": "Run the following command to determine which package owns the device file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " + "default__deleted": "If an unauthorized or modified device is allowed to exist on the\nsystem, there is the possibility the system may perform unintended or\nunauthorized operations.", + "rationale__deleted": "", + "check": { + "__old": "Verify that all system device files are correctly labeled to prevent\nunauthorized modification.\n\n List all device files on the system that are incorrectly labeled with the\nfollowing commands:\n\n Note: Device files are normally found under \"/dev\", but applications may\nplace device files in other directories and may necessitate a search of the\nentire system.\n\n #find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z \"\n\n #find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p\n%Z \"\n\n Note: There are device files, such as \"/dev/vmci\", that are used when the\noperating system is a host virtual machine. They will not be owned by a user on\nthe system and require the \"device_t\" label to operate. These device files\nare not a finding.\n\n If there is output from either of these commands, other than already noted,\nthis is a finding.", + "__new": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n#find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n#find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding." + }, + "fix": { + "__old": "Run the following command to determine which package owns the device file:\n\n # rpm -qf \n\n The package can be reinstalled from a yum repository using the command:\n\n # sudo yum reinstall \n\n Alternatively, the package can be reinstalled from trusted media using the\ncommand:\n\n # sudo rpm -Uvh ", + "__new": "Run the following command to determine which package owns the device file:\n\n# rpm -qf \n\nThe package can be reinstalled from a yum repository using the command:\n\n# sudo yum reinstall \n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n# sudo rpm -Uvh " + } } }, "V-72041": { + "describe__deleted": " describe mount('/home') do\n its('options') { should include 'nosuid' }\n end", "tags": { - "check_id": "C-72273r7_chk", - "severity": "medium", - "gid": "V-72041", - "rid": "SV-86665r4_rule", - "stig_id": "RHEL-07-021000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78393r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72273r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72041" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat file systems containing user home directories are mounted to prevent files\nwith the setuid and setgid bit set from being executed.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed." + }, + "desc": { + "__old": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "__new": "The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the user home directories with the following command:\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1001:/home/smithj\nthomasr:1002:/home/thomasr\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n \nIf a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home directories." + "default__deleted": "The \"nosuid\" mount option causes the system to not execute setuid\nand setgid files with owner privileges. This option must be used for mounting\nany file system not containing approved setuid and setguid files. Executing\nfiles from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify file systems that contain user home directories are mounted with the\n\"nosuid\" option.\n\n Find the file system(s) that contain the user home directories with the\nfollowing command:\n\n Note: If a separate file system has not been created for the user home\ndirectories (user home directories are mounted under \"/\"), this is not a\nfinding as the \"nosuid\" option cannot be used on the \"/\" system.\n\n # cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\n smithj:1001:/home/smithj\n thomasr:1002:/home/thomasr\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n # more /etc/fstab\n\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4\nrw,relatime,discard,data=ordered,nosuid 0 2\n\n If a file system found in \"/etc/fstab\" refers to the user home directory\nfile system and it does not have the \"nosuid\" option set, this is a finding.", + "__new": "Verify file systems that contain user home directories are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the user home directories with the following command:\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.\n\n# cut -d: -f 1,3,6 /etc/passwd | egrep \":[1-4][0-9]{3}\"\nsmithj:1001:/home/smithj\nthomasr:1002:/home/thomasr\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2\n \nIf a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the \"nosuid\" option set, this is a finding." + }, + "fix": { + "__old": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that contain user home directories.", + "__new": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home directories." + } } }, "V-72043": { + "describe__deleted": " non_removable_media_fs = input('non_removable_media_fs')\n\n file_systems = etc_fstab.params\n if !file_systems.nil? and !file_systems.empty?\n file_systems.each do |file_sys_line|\n if !\"#{non_removable_media_fs}\".include?(file_sys_line['file_system_type']) then\n describe file_sys_line['mount_options'] do\n it { should include 'nosuid' }\n end\n else\n describe \"File system \\\"#{file_sys_line['file_system_type']}\\\" does not correspond to removable media.\" do\n subject { \"#{non_removable_media_fs}\".include?(file_sys_line['file_system_type']) }\n it { should eq true }\n end\n end\n end\n else\n describe \"No file systems were found.\" do\n subject { file_systems.nil? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72275r2_chk", - "severity": "medium", - "gid": "V-72043", - "rid": "SV-86667r2_rule", - "stig_id": "RHEL-07-021010", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78395r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72275r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72043" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent files with\nthe setuid and setgid bit set from being executed on file systems that are used\nwith removable media.", + "__new": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." + }, + "desc": { + "__old": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "__new": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media." + "default__deleted": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify file systems that are used for removable media are mounted with the\n\"nosuid\" option.\n\n Check the file systems that are mounted at boot time with the following\ncommand:\n\n # more /etc/fstab\n\n UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat\nnoauto,owner,ro,nosuid 0 0\n\n If a file system found in \"/etc/fstab\" refers to removable media and it\ndoes not have the \"nosuid\" option set, this is a finding.", + "__new": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n# more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding." + }, + "fix": { + "__old": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are associated with removable media.", + "__new": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media." + } } }, "V-72045": { + "describe__deleted": " nfs_systems = etc_fstab.nfs_file_systems.entries\n if !nfs_systems.nil? and !nfs_systems.empty?\n nfs_systems.each do |partition|\n describe partition do\n its('mount_options') { should include 'nosuid' }\n end\n end\n else\n describe \"No NFS file systems were found.\" do\n subject { nfs_systems.nil? or nfs_systems.empty? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72277r2_chk", - "severity": "medium", - "gid": "V-72045", - "rid": "SV-86669r2_rule", - "stig_id": "RHEL-07-021020", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78397r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72277r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72045" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent files with\nthe setuid and setgid bit set from being executed on file systems that are\nbeing imported via Network File System (NFS).", + "__new": "The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." + }, + "desc": { + "__old": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "__new": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a finding.\n\nVerify the NFS is mounted with the \"nosuid\" option:\n\n# mount | grep nfs | grep nosuid\nIf no results are returned, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via NFS." + "default__deleted": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify file systems that are being NFS imported are configured with the\n\"nosuid\" option.\n\n Find the file system(s) that contain the directories being exported with\nthe following command:\n\n # more /etc/fstab | grep nfs\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"nosuid\" option set, this is a finding.\n\n Verify the NFS is mounted with the \"nosuid\" option:\n\n # mount | grep nfs | grep nosuid\n If no results are returned, this is a finding.", + "__new": "Verify file systems that are being NFS imported are configured with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a finding.\n\nVerify the NFS is mounted with the \"nosuid\" option:\n\n# mount | grep nfs | grep nosuid\nIf no results are returned, this is a finding." + }, + "fix": { + "__old": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on\nfile systems that are being imported via NFS.", + "__new": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being imported via NFS." + } } }, "V-72047": { + "describe__deleted": " application_groups = input('application_groups')\n\n ww_dirs = Set[]\n partitions = etc_fstab.params.map{|partition| partition['file_system_type']}.uniq\n partitions.each do |part|\n cmd = \"find / -perm -002 -xdev -type d -fstype #{part} -exec ls -lLd {} \\\\;\"\n ww_dirs = ww_dirs + command(cmd).stdout.split(\"\\n\")\n end\n\n ww_dirs.to_a.each do |curr_dir|\n dir_arr = curr_dir.split(' ')\n describe file(dir_arr.last) do\n its('group') { should be_in [\"root\",\"sys\",\"bin\"] + application_groups }\n end\n end", "tags": { - "check_id": "C-72279r4_chk", - "severity": "medium", - "gid": "V-72047", - "rid": "SV-86671r4_rule", - "stig_id": "RHEL-07-021030", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78399r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72279r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72047" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.", - "desc": "[\"If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\\n\\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all world-writable directories are group-owned by root, sys, bin, or an\napplication group.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." + }, + "desc": { + "__old": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "__new": "If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access." + }, "descs": { - "check": "Verify all world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \\;\ndrwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue\ndrwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm\ndrwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.", - "fix": "Change the group of the world-writable directories to root with the following command:\n\n# chgrp root " + "default__deleted": "If a world-writable directory has the sticky bit set and is not\ngroup-owned by a privileged Group Identifier (GID), unauthorized users may be\nable to modify files created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.", + "rationale__deleted": "", + "check": { + "__old": "Verify all world-writable directories are group-owned by root, sys, bin, or\nan application group.\n\n Check the system for world-writable directories with the following command:\n\n Note: The value after -fstype must be replaced with the filesystem type.\nXFS is used as an example.\n\n # find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \\;\n drwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue\n drwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm\n drwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp\n\n If any world-writable directories are not owned by root, sys, bin, or an\napplication group associated with the directory, this is a finding.", + "__new": "Verify all world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \\;\ndrwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue\ndrwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm\ndrwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding." + }, + "fix": { + "__old": "Change the group of the world-writable directories to root with the\nfollowing command:\n\n # chgrp root ", + "__new": "Change the group of the world-writable directories to root with the following command:\n\n# chgrp root " + } } }, "V-72049": { + "describe__deleted": " non_interactive_shells = input('non_interactive_shells')\n\n # Get all interactive users\n ignore_shells = non_interactive_shells.join('|')\n\n # Get home directory for users with UID >= 1000 or UID == 0 and support interactive logins.\n findings = Set[]\n dotfiles = Set[]\n umasks = {}\n umask_findings = Set[]\n\n # Get UID_MIN from login.defs\n uid_min = 1000\n if file(\"/etc/login.defs\").exist?\n uid_min_val = command(\"grep '^UID_MIN' /etc/login.defs | grep -Po '[0-9]+'\").stdout.split(\"\\n\")\n if !uid_min_val.empty?\n uid_min = uid_min_val[0].to_i\n end\n end\n\n interactive_users = users.where{ !shell.match(ignore_shells) && (uid >= uid_min || uid == 0)}.entries\n\n # For each user, build and execute a find command that identifies initialization files\n # in a user's home directory.\n interactive_users.each do |u|\n\n # Only check if the home directory is local\n is_local = command(\"df -l #{u.home}\").exit_status\n\n if is_local == 0\n # Get user's initialization files\n dotfiles = dotfiles + command(\"find #{u.home} -xdev -maxdepth 2 ( -name '.*' ! -name '.bash_history' ) -type f\").stdout.split(\"\\n\")\n\n # Get user's umask\n umasks.store(u.username,command(\"su -c 'umask' -l #{u.username}\").stdout.chomp(\"\\n\"))\n\n # Check all local initialization files to see whether or not they are less restrictive than 077.\n dotfiles.each do |df|\n if file(df).more_permissive_than?(\"0077\")\n findings = findings + df\n end\n end\n\n # Check umask for all interactive users\n umasks.each do |key,value|\n max_mode = (\"0077\").to_i(8)\n inv_mode = 0777 ^ max_mode\n if inv_mode & (value).to_i(8) != 0\n umask_findings = umask_findings + key\n end\n end\n else\n describe \"This control skips non-local filesystems\" do\n skip \"This control has skipped the #{u.home} home directory for #{u.username} because it is not a local filesystem.\"\n end\n end\n end\n\n # Report on any interactive files that are less restrictive than 077.\n describe \"No interactive user initialization files with a less restrictive umask were found.\" do\n subject { findings.empty? }\n it { should eq true }\n end\n\n # Report on any interactive users that have a umask less restrictive than 077.\n describe \"No users were found with a less restrictive umask were found.\" do\n subject { umask_findings.empty? }\n it { should eq true }\n end", "tags": { - "check_id": "C-72281r1_chk", - "severity": "medium", - "gid": "V-72049", - "rid": "SV-86673r2_rule", - "stig_id": "RHEL-07-021040", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78401r3_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72281r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72049" - ], - "title": "The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.", - "desc": "[\"The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be \\\"0\\\". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must set the umask value\nto 077 for all local interactive user accounts.", + "__new": "The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts." + }, + "desc": { + "__old": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 700 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "__new": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be \"0\". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system." + }, "descs": { - "check": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n# grep -i umask /home/*/.*\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding.", - "fix": "Remove the umask statement from all local interactive user's initialization files. \n\nIf the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables." + "default__deleted": "The umask controls the default access mode assigned to newly created\nfiles. A umask of 077 limits new files to mode 700 or less permissive. Although\numask can be represented as a four-digit number, the first digit representing\nspecial access modes is typically ignored or required to be \"0\". This\nrequirement applies to the globally configured system defaults and the local\ninteractive user defaults for each account on the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the default umask for all local interactive users is \"077\".\n\n Identify the locations of all local interactive user home directories by\nlooking at the \"/etc/passwd\" file.\n\n Check all local interactive user initialization files for interactive users\nwith the following command:\n\n Note: The example is for a system that is configured to create users home\ndirectories in the \"/home\" directory.\n\n # grep -i umask /home/*/.*\n\n If any local interactive user initialization files are found to have a\numask statement that has a value less restrictive than \"077\", this is a\nfinding.", + "__new": "Verify that the default umask for all local interactive users is \"077\".\n\nIdentify the locations of all local interactive user home directories by looking at the \"/etc/passwd\" file.\n\nCheck all local interactive user initialization files for interactive users with the following command:\n\nNote: The example is for a system that is configured to create users home directories in the \"/home\" directory.\n\n# grep -i umask /home/*/.*\n\nIf any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding." + }, + "fix": { + "__old": "Remove the umask statement from all local interactive user's initialization\nfiles.\n\n If the account is for an application, the requirement for a umask less\nrestrictive than \"077\" can be documented with the Information System Security\nOfficer, but the user agreement for access to the account must specify that the\nlocal interactive user must log on to their account first and then switch the\nuser to the application account with the correct option to gain the account's\nenvironment variables.", + "__new": "Remove the umask statement from all local interactive user's initialization files. \n\nIf the account is for an application, the requirement for a umask less restrictive than \"077\" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables." + } } }, "V-72051": { + "describe__deleted": " log_pkg_path = input('log_pkg_path')\n\n describe.one do\n describe command(\"grep cron #{log_pkg_path}\") do\n its('stdout.strip') { should match %r{^cron} }\n end\n describe file(\"#{log_pkg_path}\") do\n its('content') { should match %r{^\\*\\.\\* \\/var\\/log\\/messages\\n?$} }\n its('content') { should_not match %r{^*.*\\s+~$.*^*\\.\\* \\/var\\/log\\/messages\\n?$}m }\n end\n end", "tags": { - "check_id": "C-72283r2_chk", - "severity": "medium", - "gid": "V-72051", - "rid": "SV-86675r2_rule", - "stig_id": "RHEL-07-021100", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78403r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72283r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72051" - ], - "title": "The Red Hat Enterprise Linux operating system must have cron logging implemented.", - "desc": "[\"Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must have cron logging\nimplemented.", + "__new": "The Red Hat Enterprise Linux operating system must have cron logging implemented." + }, + "desc": { + "__old": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "__new": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users." + }, "descs": { - "check": "Verify that \"rsyslog\" is configured to log cron events.\n\nCheck the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\ncron.* /var/log/cron.log\n\nIf the command does not return a response, check for cron logging all facilities by inspecting the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", - "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron.log" + "default__deleted": "Cron logging can be used to trace the successful or unsuccessful\nexecution of cron jobs. It can also be used to spot intrusions into the use of\nthe cron facility by unauthorized and malicious users.", + "rationale__deleted": "", + "check": { + "__old": "Verify that \"rsyslog\" is configured to log cron events.\n\n Check the configuration of \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/*.conf\" files for the cron facility with the following\ncommand:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n cron.* /var/log/cron.log\n\n If the command does not return a response, check for cron logging all\nfacilities by inspecting the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\"\nfiles.\n\n Look for the following entry:\n\n *.* /var/log/messages\n\n If \"rsyslog\" is not logging messages for the cron facility or all\nfacilities, this is a finding.", + "__new": "Verify that \"rsyslog\" is configured to log cron events.\n\nCheck the configuration of \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files for the cron facility with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\ncron.* /var/log/cron.log\n\nIf the command does not return a response, check for cron logging all facilities by inspecting the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\nLook for the following entry:\n\n*.* /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding." + }, + "fix": { + "__old": "Configure \"rsyslog\" to log all cron messages by adding or updating the\nfollowing line to \"/etc/rsyslog.conf\" or a configuration file in the\n/etc/rsyslog.d/ directory:\n\n cron.* /var/log/cron.log", + "__new": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron.log" + } } }, "V-72053": { + "describe__deleted": " describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n it { should be_owned_by 'root' }\n end\n end", "tags": { - "check_id": "C-72285r2_chk", - "severity": "medium", - "gid": "V-72053", - "rid": "SV-86677r3_rule", - "stig_id": "RHEL-07-021110", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78405r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72285r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72053" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.", - "desc": "[\"If the owner of the \\\"cron.allow\\\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the cron.allow file, if it exists, is owned by root.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root." + }, + "desc": { + "__old": "If the owner of the \"cron.allow\" file is not set to root, the\npossibility exists for an unauthorized user to view or to edit sensitive\ninformation.", + "__new": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information." + }, "descs": { - "check": "Verify that the \"cron.allow\" file is owned by root.\n\nCheck the owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has an owner other than root, this is a finding.", - "fix": "Set the owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chown root /etc/cron.allow" + "default__deleted": "If the owner of the \"cron.allow\" file is not set to root, the\npossibility exists for an unauthorized user to view or to edit sensitive\ninformation.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the \"cron.allow\" file is owned by root.\n\n Check the owner of the \"cron.allow\" file with the following command:\n\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\n If the \"cron.allow\" file exists and has an owner other than root, this is\na finding.", + "__new": "Verify that the \"cron.allow\" file is owned by root.\n\nCheck the owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has an owner other than root, this is a finding." + }, + "fix": { + "__old": "Set the owner on the \"/etc/cron.allow\" file to root with the following\ncommand:\n\n # chown root /etc/cron.allow", + "__new": "Set the owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chown root /etc/cron.allow" + } } }, "V-72055": { + "describe__deleted": " describe.one do\n # case where file doesn't exist\n describe file('/etc/cron.allow') do\n it { should_not exist }\n end\n # case where file exists\n describe file('/etc/cron.allow') do\n its('group') { should eq 'root' }\n end\n end", "tags": { - "check_id": "C-72287r1_chk", - "severity": "medium", - "gid": "V-72055", - "rid": "SV-86679r2_rule", - "stig_id": "RHEL-07-021120", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78407r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72287r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72055" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.", - "desc": "[\"If the group owner of the \\\"cron.allow\\\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the cron.allow file, if it exists, is group-owned by root.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root." + }, + "desc": { + "__old": "If the group owner of the \"cron.allow\" file is not set to root,\nsensitive information could be viewed or edited by unauthorized users.", + "__new": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or edited by unauthorized users." + }, "descs": { - "check": "Verify that the \"cron.allow\" file is group-owned by root.\n\nCheck the group owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has a group owner other than root, this is a finding.", - "fix": "Set the group owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chgrp root /etc/cron.allow" + "default__deleted": "If the group owner of the \"cron.allow\" file is not set to root,\nsensitive information could be viewed or edited by unauthorized users.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the \"cron.allow\" file is group-owned by root.\n\n Check the group owner of the \"cron.allow\" file with the following command:\n\n # ls -al /etc/cron.allow\n -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\n If the \"cron.allow\" file exists and has a group owner other than root,\nthis is a finding.", + "__new": "Verify that the \"cron.allow\" file is group-owned by root.\n\nCheck the group owner of the \"cron.allow\" file with the following command:\n\n# ls -al /etc/cron.allow\n-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow\n\nIf the \"cron.allow\" file exists and has a group owner other than root, this is a finding." + }, + "fix": { + "__old": "Set the group owner on the \"/etc/cron.allow\" file to root with the\nfollowing command:\n\n # chgrp root /etc/cron.allow", + "__new": "Set the group owner on the \"/etc/cron.allow\" file to root with the following command:\n\n# chgrp root /etc/cron.allow" + } } }, "V-72057": { + "describe__deleted": " describe systemd_service('kdump.service') do\n it { should_not be_running }\n end", "tags": { - "check_id": "C-72289r1_chk", - "severity": "medium", - "gid": "V-72057", - "rid": "SV-86681r2_rule", - "stig_id": "RHEL-07-021300", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78409r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72289r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72057" - ], - "title": "The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.", - "desc": "[\"Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must disable Kernel core\ndumps unless needed.", + "__new": "The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." + }, + "desc": { + "__old": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", + "__new": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition." + }, "descs": { - "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n# systemctl status kdump.service\nkdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\nkernel arming.\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding.", - "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the ISSO." + "default__deleted": "Kernel core dumps may contain the full contents of system memory at\nthe time of the crash. Kernel core dumps may consume a considerable amount of\ndisk space and may result in denial of service by exhausting the available\nspace on the target file system partition.", + "rationale__deleted": "", + "check": { + "__old": "Verify that kernel core dumps are disabled unless needed.\n\n Check the status of the \"kdump\" service with the following command:\n\n # systemctl status kdump.service\n kdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\n kernel arming.\n\n If the \"kdump\" service is active, ask the System Administrator if the use\nof the service is required and documented with the Information System Security\nOfficer (ISSO).\n\n If the service is active and is not documented, this is a finding.", + "__new": "Verify that kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n# systemctl status kdump.service\nkdump.service - Crash recovery kernel arming\n Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)\n Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago\n Main PID: 1130 (code=exited, status=0/SUCCESS)\nkernel arming.\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding." + }, + "fix": { + "__old": "If kernel core dumps are not required, disable the \"kdump\" service with\nthe following command:\n\n # systemctl disable kdump.service\n\n If kernel core dumps are required, document the need with the ISSO.", + "__new": "If kernel core dumps are not required, disable the \"kdump\" service with the following command:\n\n# systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the ISSO." + } } }, "V-72059": { + "describe__deleted": " exempt_home_users = input('exempt_home_users')\n non_interactive_shells = input('non_interactive_shells')\n\n ignore_shells = non_interactive_shells.join('|')\n\n uid_min = login_defs.read_params['UID_MIN'].to_i\n uid_min = 1000 if uid_min.nil?\n\n # excluding root because its home directory is usually \"/root\" (mountpoint \"/\")\n users.where{ !shell.match(ignore_shells) && (uid >= uid_min)}.entries.each do |user_info|\n next if exempt_home_users.include?(\"#{user_info.username}\")\n\n home_mount = command(%(df #{user_info.home} --output=target | tail -1)).stdout.strip\n describe user_info.username do\n context 'with mountpoint' do\n context home_mount do\n it { should_not be_empty }\n it { should_not match(%r(^/$)) }\n end\n end\n end\n end", "tags": { - "check_id": "C-72291r2_chk", - "severity": "low", - "gid": "V-72059", - "rid": "SV-86683r2_rule", - "stig_id": "RHEL-07-021310", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78411r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72291r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72059" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat a separate file system is used for user home directories (such as /home or\nan equivalent).", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)." + }, + "desc": { + "__old": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "__new": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing." + }, "descs": { - "check": "Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:\n\n#cut -d: -f 1,3,6,7 /etc/passwd | egrep \":[1-4][0-9]{3}\" | tr \":\" \"\\t\"\n\nadamsj /home/adamsj /bin/bash\njacksonm /home/jacksonm /bin/bash\nsmithj /home/smithj /bin/bash\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged interactive users with the following command:\n\nNote: The partition of /home is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.", - "fix": "Migrate the \"/home\" directory onto a separate file system/partition." + "default__deleted": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "rationale__deleted": "", + "check": { + "__old": "Verify that a separate file system/partition has been created for\nnon-privileged local interactive user home directories.\n\n Check the home directory assignment for all non-privileged users (those\nwith a UID greater than 1000) on the system with the following command:\n\n #cut -d: -f 1,3,6,7 /etc/passwd | egrep \":[1-4][0-9]{3}\" | tr \":\"\n\"\\t\"\n\n adamsj /home/adamsj /bin/bash\n jacksonm /home/jacksonm /bin/bash\n smithj /home/smithj /bin/bash\n\n The output of the command will give the directory/partition that contains\nthe home directories for the non-privileged users on the system (in this\nexample, /home) and users' shell. All accounts with a valid shell (such as\n/bin/bash) are considered interactive users.\n\n Check that a file system/partition has been created for the non-privileged\ninteractive users with the following command:\n\n Note: The partition of /home is used in the example.\n\n # grep /home /etc/fstab\n UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1\n2\n\n If a separate entry for the file system/partition that contains the\nnon-privileged interactive users' home directories does not exist, this is a\nfinding.", + "__new": "Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.\n\nCheck the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:\n\n#cut -d: -f 1,3,6,7 /etc/passwd | egrep \":[1-4][0-9]{3}\" | tr \":\" \"\\t\"\n\nadamsj /home/adamsj /bin/bash\njacksonm /home/jacksonm /bin/bash\nsmithj /home/smithj /bin/bash\n\nThe output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.\n\nCheck that a file system/partition has been created for the non-privileged interactive users with the following command:\n\nNote: The partition of /home is used in the example.\n\n# grep /home /etc/fstab\nUUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2\n\nIf a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding." + }, + "fix": { + "__old": "Migrate the \"/home\" directory onto a separate file\nsystem/partition.", + "__new": "Migrate the \"/home\" directory onto a separate file system/partition." + } } }, "V-72061": { + "describe__deleted": " describe mount('/var') do\n it { should be_mounted }\n end", "tags": { - "check_id": "C-72293r1_chk", - "severity": "low", - "gid": "V-72061", - "rid": "SV-86685r2_rule", - "stig_id": "RHEL-07-021320", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78413r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72293r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72061" - ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /var.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a separate file\nsystem for /var.", + "__new": "The Red Hat Enterprise Linux operating system must use a separate file system for /var." + }, + "desc": { + "__old": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "__new": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing." + }, "descs": { - "check": "Verify that a separate file system/partition has been created for \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the following command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding.", - "fix": "Migrate the \"/var\" path onto a separate file system." + "default__deleted": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "rationale__deleted": "", + "check": { + "__old": "Verify that a separate file system/partition has been created for \"/var\".\n\n Check that a file system/partition has been created for \"/var\" with the\nfollowing command:\n\n # grep /var /etc/fstab\n UUID=c274f65f /var ext4 noatime,nobarrier 1\n2\n\n If a separate entry for \"/var\" is not in use, this is a finding.", + "__new": "Verify that a separate file system/partition has been created for \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the following command:\n\n# grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding." + } } }, "V-72063": { + "describe__deleted": " describe mount('/var/log/audit') do\n it {should be_mounted}\n end", "tags": { - "check_id": "C-72295r10_chk", - "severity": "low", - "gid": "V-72063", - "rid": "SV-86687r6_rule", - "stig_id": "RHEL-07-021330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78415r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72295r10_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72063" - ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a separate file\nsystem for the system audit data path.", + "__new": "The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path." + }, + "desc": { + "__old": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "__new": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing." + }, "descs": { - "check": "Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate file system.\n\n# grep /var/log/audit /etc/fstab\n\nIf no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file system, this is a finding.\n\nVerify that \"/var/log/audit\" is mounted on a separate file system:\n\n# mount | grep \"/var/log/audit\"\n\nIf no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding.", - "fix": "Migrate the system audit data path onto a separate file system." + "default__deleted": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "rationale__deleted": "", + "check": { + "__old": "Determine if the operating system is configured to have the\n\"/var/log/audit\" path is on a separate file system.\n\n # grep /var/log/audit /etc/fstab\n\n If no result is returned, or the operating system is not configured to have\n\"/var/log/audit\" on a separate file system, this is a finding.\n\n Verify that \"/var/log/audit\" is mounted on a separate file system:\n\n # mount | grep \"/var/log/audit\"\n\n If no result is returned, or \"/var/log/audit\" is not on a separate file\nsystem, this is a finding.", + "__new": "Determine if the operating system is configured to have the \"/var/log/audit\" path is on a separate file system.\n\n# grep /var/log/audit /etc/fstab\n\nIf no result is returned, or the operating system is not configured to have \"/var/log/audit\" on a separate file system, this is a finding.\n\nVerify that \"/var/log/audit\" is mounted on a separate file system:\n\n# mount | grep \"/var/log/audit\"\n\nIf no result is returned, or \"/var/log/audit\" is not on a separate file system, this is a finding." + } } }, "V-72065": { + "describe__deleted": " describe.one do\n describe systemd_service('tmp.mount') do\n it { should be_enabled }\n end\n describe etc_fstab.where { mount_point == '/tmp' } do\n its('count') { should cmp 1 }\n it 'Should have a device name specified' do\n expect(subject.device_name[0]).to_not(be_empty)\n end\n end\n end", "tags": { - "check_id": "C-72297r2_chk", - "severity": "low", - "gid": "V-72065", - "rid": "SV-86689r3_rule", - "stig_id": "RHEL-07-021340", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78417r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72297r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72065" - ], - "title": "The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a separate file\nsystem for /tmp (or equivalent).", + "__new": "The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)." + }, + "desc": { + "__old": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "__new": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing." + }, "descs": { - "check": "Verify that a separate file system/partition has been created for \"/tmp\".\n\nCheck that a file system/partition has been created for \"/tmp\" with the following command:\n\n# systemctl is-enabled tmp.mount\nenabled\n\nIf the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount point:\n\n# grep -i /tmp /etc/fstab\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n\nIf \"tmp.mount\" service is not enabled and the \"/tmp\" directory is not defined in the fstab with a device and mount point, this is a finding.", - "fix": "Start the \"tmp.mount\" service with the following command:\n\n# systemctl enable tmp.mount\n \nOR\n\nEdit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point." + "default__deleted": "The use of separate file systems for different paths can protect the\nsystem from failures resulting from a file system becoming full or failing.", + "rationale__deleted": "", + "check": { + "__old": "Verify that a separate file system/partition has been created for \"/tmp\".\n\n Check that a file system/partition has been created for \"/tmp\" with the\nfollowing command:\n\n # systemctl is-enabled tmp.mount\n enabled\n\n If the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is\ndefined in the fstab with a device and mount point:\n\n # grep -i /tmp /etc/fstab\n UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4\nrw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n\n If \"tmp.mount\" service is not enabled and the \"/tmp\" directory is not\ndefined in the fstab with a device and mount point, this is a finding.", + "__new": "Verify that a separate file system/partition has been created for \"/tmp\".\n\nCheck that a file system/partition has been created for \"/tmp\" with the following command:\n\n# systemctl is-enabled tmp.mount\nenabled\n\nIf the \"tmp.mount\" service is not enabled, check to see if \"/tmp\" is defined in the fstab with a device and mount point:\n\n# grep -i /tmp /etc/fstab\nUUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0\n\nIf \"tmp.mount\" service is not enabled and the \"/tmp\" directory is not defined in the fstab with a device and mount point, this is a finding." + }, + "fix": { + "__old": "Start the \"tmp.mount\" service with the following command:\n\n # systemctl enable tmp.mount\n\n OR\n\n Edit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined\nin the fstab with a device and mount point.", + "__new": "Start the \"tmp.mount\" service with the following command:\n\n# systemctl enable tmp.mount\n \nOR\n\nEdit the \"/etc/fstab\" file and ensure the \"/tmp\" directory is defined in the fstab with a device and mount point." + } } }, "V-72067": { + "describe__deleted": " describe package('dracut-fips') do\n it { should be_installed }\n end\n\n all_args = command('grubby --info=ALL | grep \"^args=\" | sed \"s/^args=//g\"').\n stdout.strip.split(\"\\n\").\n map { |s| s.sub(%r{^\"(.*)\"$}, '\\1') } # strip outer quotes if they exist\n\n all_args.each { |args|\n describe args do\n it { should match %r{\\bfips=1\\b} }\n end\n }\n\n describe file('/proc/sys/crypto/fips_enabled') do\n its('content.strip') { should cmp 1 }\n end", "tags": { - "check_id": "C-72299r3_chk", - "severity": "high", - "gid": "V-72067", - "rid": "SV-86691r4_rule", - "stig_id": "RHEL-07-021350", - "gtitle": "SRG-OS-000033-GPOS-00014", - "fix_id": "F-78419r3_fix", - "cci": [ - "CCI-000068", - "CCI-001199", - "CCI-002450", - "CCI-002476" - ], + "check_id__added": "C-72299r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + }, "nist": [ - "AC-17 (2)", - "SC-28", - "SC-13 b", - "SC-28 (1)" + [ + " " + ], + [ + " " + ], + [ + "-", + "SC-13" + ], + [ + "+", + "SC-13 b" + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72067" - ], - "title": "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", - "desc": "[\"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\\n\\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement NIST\nFIPS-validated cryptography for the following: to provision digital signatures,\nto generate cryptographic hashes, and to protect data requiring data-at-rest\nprotections in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards.", + "__new": "The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + }, + "desc": { + "__old": "Use of weak or untested encryption algorithms undermines the purposes\nof using encryption to protect data. The operating system must implement\ncryptographic modules adhering to the higher standards approved by the federal\ngovernment since this provides assurance they have been tested and validated.", + "__new": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\n" + }, "descs": { - "check": "Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if the \"dracut-fips\" package is installed with the following command:\n\n# yum list installed dracut-fips\n\ndracut-fips-033-360.el7_2.x86_64.rpm\n\nIf a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\n# grep fips /boot/grub2/grub.cfg\n/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n\nIf the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n# cat /proc/sys/crypto/fips_enabled \n1\n\nIf a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", - "fix": "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nConfigure the operating system to implement DoD-approved encryption by following the steps below: \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.\n\nInstall the dracut-fips package with the following command:\n\n# yum install dracut-fips\n\nRecreate the \"initramfs\" file with the following command:\n\nNote: This command will overwrite the existing \"initramfs\" file.\n\n# dracut -f\n\nModify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n\nfips=1\n\nChanges to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows:\n\nOn BIOS-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/grub2/grub.cfg\n\nOn UEFI-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n\nIf /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:\n\n# df /boot\nFilesystem 1K-blocks Used Available Use% Mounted on\n/dev/sda1 495844 53780 416464 12% /boot\n\nTo ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:\n\n# blkid /dev/sda1\n/dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n\nFor the example above, append the following string to the kernel command line:\n\nboot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n\nReboot the system for the changes to take effect." + "default__deleted": "Use of weak or untested encryption algorithms undermines the purposes\nof using encryption to protect data. The operating system must implement\ncryptographic modules adhering to the higher standards approved by the federal\ngovernment since this provides assurance they have been tested and validated.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system implements DoD-approved encryption to protect\nthe confidentiality of remote access sessions.\n\n Check to see if the \"dracut-fips\" package is installed with the following\ncommand:\n\n # yum list installed dracut-fips\n\n dracut-fips-033-360.el7_2.x86_64.rpm\n\n If a \"dracut-fips\" package is installed, check to see if the kernel\ncommand line is configured to use FIPS mode with the following command:\n\n Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file\non traditional BIOS-based machines and from the\n\"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\n # grep fips /boot/grub2/grub.cfg\n /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0\nrd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us\nrd.lvm.lv=rhel/root rhgb fips=1 quiet\n\n If the kernel command line is configured to use FIPS mode, check to see if\nthe system is in FIPS mode with the following command:\n\n # cat /proc/sys/crypto/fips_enabled\n 1\n\n If a \"dracut-fips\" package is not installed, the kernel command line does\nnot have a fips entry, or the system has a value of \"0\" for \"fips_enabled\"\nin \"/proc/sys/crypto\", this is a finding.", + "__new": "Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if the \"dracut-fips\" package is installed with the following command:\n\n# yum list installed dracut-fips\n\ndracut-fips-033-360.el7_2.x86_64.rpm\n\nIf a \"dracut-fips\" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\n# grep fips /boot/grub2/grub.cfg\n/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n\nIf the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n# cat /proc/sys/crypto/fips_enabled \n1\n\nIf a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement DoD-approved encryption by\ninstalling the dracut-fips package.\n\n To enable strict FIPS compliance, the fips=1 kernel option needs to be\nadded to the kernel command line during system installation so key generation\nis done with FIPS-approved algorithms and continuous monitoring tests in place.\n\n Configure the operating system to implement DoD-approved encryption by\nfollowing the steps below:\n\n The fips=1 kernel option needs to be added to the kernel command line\nduring system installation so that key generation is done with FIPS-approved\nalgorithms and continuous monitoring tests in place. Users should also ensure\nthat the system has plenty of entropy during the installation process by moving\nthe mouse around, or if no mouse is available, ensuring that many keystrokes\nare typed. The recommended amount of keystrokes is 256 and more. Less than 256\nkeystrokes may generate a non-unique key.\n\n Install the dracut-fips package with the following command:\n\n # yum install dracut-fips\n\n Recreate the \"initramfs\" file with the following command:\n\n Note: This command will overwrite the existing \"initramfs\" file.\n\n # dracut -f\n\n Modify the kernel command line of the current kernel in the \"grub.cfg\"\nfile by adding the following option to the GRUB_CMDLINE_LINUX key in the\n\"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n\n fips=1\n\n Changes to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file\nas follows:\n\n On BIOS-based machines, use the following command:\n\n # grub2-mkconfig -o /boot/grub2/grub.cfg\n\n On UEFI-based machines, use the following command:\n\n # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n\n If /boot or /boot/efi reside on separate partitions, the kernel parameter\nboot= must be added to the kernel command\nline. You can identify a partition by running the df /boot or df /boot/efi\ncommand:\n\n # df /boot\n Filesystem 1K-blocks Used Available Use% Mounted on\n /dev/sda1 495844 53780 416464 12% /boot\n\n To ensure the \"boot=\" configuration option will work even if device\nnaming changes occur between boots, identify the universally unique identifier\n(UUID) of the partition with the following command:\n\n # blkid /dev/sda1\n /dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n\n For the example above, append the following string to the kernel command\nline:\n\n boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n\n Reboot the system for the changes to take effect.", + "__new": "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nConfigure the operating system to implement DoD-approved encryption by following the steps below: \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.\n\nInstall the dracut-fips package with the following command:\n\n# yum install dracut-fips\n\nRecreate the \"initramfs\" file with the following command:\n\nNote: This command will overwrite the existing \"initramfs\" file.\n\n# dracut -f\n\nModify the kernel command line of the current kernel in the \"grub.cfg\" file by adding the following option to the GRUB_CMDLINE_LINUX key in the \"/etc/default/grub\" file and then rebuild the \"grub.cfg\" file:\n\nfips=1\n\nChanges to \"/etc/default/grub\" require rebuilding the \"grub.cfg\" file as follows:\n\nOn BIOS-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/grub2/grub.cfg\n\nOn UEFI-based machines, use the following command:\n\n# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n\nIf /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:\n\n# df /boot\nFilesystem 1K-blocks Used Available Use% Mounted on\n/dev/sda1 495844 53780 416464 12% /boot\n\nTo ensure the \"boot=\" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:\n\n# blkid /dev/sda1\n/dev/sda1: UUID=\"05c000f1-a213-759e-c7a2-f11b7424c797\" TYPE=\"ext4\"\n\nFor the example above, append the following string to the kernel command line:\n\nboot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797\n\nReboot the system for the changes to take effect." + } } }, "V-72069": { + "describe__deleted": " describe package(\"aide\") do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'acl'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'acl' rule\" do\n subject { findings }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72301r3_chk", - "severity": "low", - "gid": "V-72069", - "rid": "SV-86693r3_rule", - "stig_id": "RHEL-07-021600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78421r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72301r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72069" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).", - "desc": "[\"ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the file integrity tool is configured to verify Access Control Lists\n(ACLs).", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)." + }, + "desc": { + "__old": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", + "__new": "ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools." + }, "descs": { - "check": "Verify the file integrity tool is configured to verify ACLs.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists." + "default__deleted": "ACLs can provide permissions beyond those permitted through the file\nmode and must be verified by file integrity tools.", + "rationale__deleted": "", + "check": { + "__old": "Verify the file integrity tool is configured to verify ACLs.\n\n Check to see if Advanced Intrusion Detection Environment (AIDE) is\ninstalled on the system with the following command:\n\n # yum list installed aide\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n If there is no application installed to perform file integrity checks, this\nis a finding.\n\n Note: AIDE is highly configurable at install time. These commands assume\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"acl\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"acl\" rule is below:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"acl\" rule is not being used on all uncommented selection lines in\nthe \"/etc/aide.conf\" file, or ACLs are not being checked by another file\nintegrity tool, this is a finding.", + "__new": "Verify the file integrity tool is configured to verify ACLs.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"acl\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule is below:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"acl\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding." + }, + "fix": { + "__old": "Configure the file integrity tool to check file and directory ACLs.\n\n If AIDE is installed, ensure the \"acl\" rule is present on all uncommented\nfile and directory selection lists.", + "__new": "Configure the file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the \"acl\" rule is present on all uncommented file and directory selection lists." + } } }, "V-72071": { + "describe__deleted": " describe package(\"aide\") do\n it { should be_installed }\n end\n\n findings = []\n aide_conf.where { !selection_line.start_with? '!' }.entries.each do |selection|\n unless selection.rules.include? 'xattrs'\n findings.append(selection.selection_line)\n end\n end\n\n describe \"List of monitored files/directories without 'xattrs' rule\" do\n subject { findings }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72303r3_chk", - "severity": "low", - "gid": "V-72071", - "rid": "SV-86695r3_rule", - "stig_id": "RHEL-07-021610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78423r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72303r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72071" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.", - "desc": "[\"Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the file integrity tool is configured to verify extended attributes.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes." + }, + "desc": { + "__old": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", + "__new": "Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications." + }, "descs": { - "check": "Verify the file integrity tool is configured to verify extended attributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.", - "fix": "Configure the file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists." + "default__deleted": "Extended attributes in file systems are used to contain arbitrary data\nand file metadata with security implications.", + "rationale__deleted": "", + "check": { + "__old": "Verify the file integrity tool is configured to verify extended attributes.\n\n Check to see if Advanced Intrusion Detection Environment (AIDE) is\ninstalled on the system with the following command:\n\n # yum list installed aide\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n If there is no application installed to perform file integrity checks, this\nis a finding.\n\n Note: AIDE is highly configurable at install time. These commands assume\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"xattrs\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"xattrs\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or extended attributes are not being checked by\nanother file integrity tool, this is a finding.", + "__new": "Verify the file integrity tool is configured to verify extended attributes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.\n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory.\n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\nAll= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"xattrs\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding." + }, + "fix": { + "__old": "Configure the file integrity tool to check file and directory extended\nattributes.\n\n If AIDE is installed, ensure the \"xattrs\" rule is present on all\nuncommented file and directory selection lists.", + "__new": "Configure the file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all uncommented file and directory selection lists." + } } }, "V-72073": { + "describe__deleted": " describe package(\"aide\") do\n it { should be_installed }\n end\n\n exclude_patterns = input('aide_exclude_patterns')\n\n findings = aide_conf.where { !selection_line.start_with?('!') && !exclude_patterns.include?(selection_line) && !rules.include?('sha512')}\n\n describe \"List of monitored files/directories without 'sha512' rule\" do\n subject { findings.selection_lines }\n it { should be_empty }\n end", "tags": { - "check_id": "C-72305r4_chk", - "severity": "medium", - "gid": "V-72073", - "rid": "SV-86697r3_rule", - "stig_id": "RHEL-07-021620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78425r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72305r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72073" - ], - "title": "The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.", - "desc": "[\"File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a file\nintegrity tool that is configured to use FIPS 140-2 approved cryptographic\nhashes for validating file contents and directories.", + "__new": "The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories." + }, + "desc": { + "__old": "File integrity tools use cryptographic hashes for verifying file\ncontents and directories have not been altered. These hashes must be FIPS 140-2\napproved cryptographic hashes.", + "__new": "File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes." + }, "descs": { - "check": "Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding too as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"sha512\" rule follows:\n\nAll=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.", - "fix": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. \n\nIf AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists." + "default__deleted": "File integrity tools use cryptographic hashes for verifying file\ncontents and directories have not been altered. These hashes must be FIPS 140-2\napproved cryptographic hashes.", + "rationale__deleted": "", + "check": { + "__old": "Verify the file integrity tool is configured to use FIPS 140-2 approved\ncryptographic hashes for validating file contents and directories.\n\n Note: If RHEL-07-021350 is a finding, this is automatically a finding too\nas the system cannot implement FIPS 140-2 approved cryptographic algorithms and\nhashes.\n\n Check to see if Advanced Intrusion Detection Environment (AIDE) is\ninstalled on the system with the following command:\n\n # yum list installed aide\n\n If AIDE is not installed, ask the System Administrator how file integrity\nchecks are performed on the system.\n\n If there is no application installed to perform file integrity checks, this\nis a finding.\n\n Note: AIDE is highly configurable at install time. These commands assume\nthe \"aide.conf\" file is under the \"/etc\" directory.\n\n Use the following command to determine if the file is in another location:\n\n # find / -name aide.conf\n\n Check the \"aide.conf\" file to determine if the \"sha512\" rule has been\nadded to the rule list being applied to the files and directories selection\nlists.\n\n An example rule that includes the \"sha512\" rule follows:\n\n All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All # apply the custom rule to the files in bin\n /sbin All # apply the same custom rule to the files in sbin\n\n If the \"sha512\" rule is not being used on all uncommented selection lines\nin the \"/etc/aide.conf\" file, or another file integrity tool is not using\nFIPS 140-2 approved cryptographic hashes for validating file contents and\ndirectories, this is a finding.", + "__new": "Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding too as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.\n\nCheck to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:\n\n# yum list installed aide\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform file integrity checks, this is a finding.\n\nNote: AIDE is highly configurable at install time. These commands assume the \"aide.conf\" file is under the \"/etc\" directory. \n\nUse the following command to determine if the file is in another location:\n\n# find / -name aide.conf\n\nCheck the \"aide.conf\" file to determine if the \"sha512\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"sha512\" rule follows:\n\nAll=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n/bin All # apply the custom rule to the files in bin \n/sbin All # apply the same custom rule to the files in sbin \n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding." + }, + "fix": { + "__old": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes\nfor validating file and directory contents.\n\n If AIDE is installed, ensure the \"sha512\" rule is present on all\nuncommented file and directory selection lists.", + "__new": "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. \n\nIf AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists." + } } }, "V-72075": { + "describe__deleted": " roots = command('grubby --info=ALL | grep \"^root=\" | sed \"s/^root=//g\"').\n stdout.strip.split(\"\\n\")\n\n blocks = roots.map { |root|\n root_file = file(root)\n root_file.symlink? ? root_file.link_path : root_file.path\n }\n\n blocks.each { |block|\n block_file = file(block)\n describe block_file do\n it { should exist }\n its('path') { should match %r{^/dev/} }\n end\n\n if block_file.exist? and block_file.path.match? %r{^/dev/}\n removable = ['/sys/block', block.sub(%r{^/dev/}, ''), 'removable'].join('/')\n describe file(removable) do\n it { should exist }\n its('content.strip') { should eq '0' }\n end\n end\n }", "tags": { - "check_id": "C-72307r2_chk", - "severity": "medium", - "gid": "V-72075", - "rid": "SV-86699r2_rule", - "stig_id": "RHEL-07-021700", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78427r1_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72307r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72075" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.", - "desc": "[\"Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow removable\nmedia to be used as the boot loader unless approved.", + "__new": "The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." + }, + "desc": { + "__old": "Malicious users with removable boot media can gain access to a system\nconfigured to use removable media as the boot loader. If removable media is\ndesigned to be used as the boot loader, the requirement must be documented with\nthe Information System Security Officer (ISSO).", + "__new": "Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO)." + }, "descs": { - "check": "Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. \n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -c menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.", - "fix": "Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO." + "default__deleted": "Malicious users with removable boot media can gain access to a system\nconfigured to use removable media as the boot loader. If removable media is\ndesigned to be used as the boot loader, the requirement must be documented with\nthe Information System Security Officer (ISSO).", + "rationale__deleted": "", + "check": { + "__old": "Verify the system is not configured to use a boot loader on removable media.\n\n Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file\non traditional BIOS-based machines and from the\n\"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\n Check for the existence of alternate boot loader configuration files with\nthe following command:\n\n # find / -name grub.cfg\n /boot/grub2/grub.cfg\n\n If a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\"\nand \"/boot/efi/EFI/redhat\", ask the System Administrator if there is\ndocumentation signed by the ISSO to approve the use of removable media as a\nboot loader.\n\n Check that the grub configuration file has the set root command in each\nmenu entry with the following commands:\n\n # grep -c menuentry /boot/grub2/grub.cfg\n 1\n # grep 'set root' /boot/grub2/grub.cfg\n set root=(hd0,1)\n\n If the system is using an alternate boot loader on removable media, and\ndocumentation does not exist approving the alternate configuration, this is a\nfinding.", + "__new": "Verify the system is not configured to use a boot loader on removable media.\n\nNote: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on traditional BIOS-based machines and from the \"/boot/efi/EFI/redhat/grub.cfg\" file on UEFI machines.\n\nCheck for the existence of alternate boot loader configuration files with the following command:\n\n# find / -name grub.cfg\n/boot/grub2/grub.cfg\n\nIf a \"grub.cfg\" is found in any subdirectories other than \"/boot/grub2\" and \"/boot/efi/EFI/redhat\", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. \n\nCheck that the grub configuration file has the set root command in each menu entry with the following commands:\n\n# grep -c menuentry /boot/grub2/grub.cfg\n1\n# grep 'set root' /boot/grub2/grub.cfg\nset root=(hd0,1)\n\nIf the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding." + }, + "fix": { + "__old": "Remove alternate methods of booting the system from removable\nmedia or document the configuration to boot from removable media with the ISSO.", + "__new": "Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO." + } } }, "V-72077": { + "describe__deleted": " describe package('telnet-server') do\n it { should_not be_installed }\n end", "tags": { - "check_id": "C-72309r2_chk", - "severity": "high", - "gid": "V-72077", - "rid": "SV-86701r2_rule", - "stig_id": "RHEL-07-021710", - "gtitle": "SRG-OS-000095-GPOS-00049", - "fix_id": "F-78429r1_fix", - "cci": [ - "CCI-000381" - ], - "nist": [ - "CM-7 a" - ] + "check_id__added": "C-72309r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72077" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\\n\\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have the\ntelnet-server package installed.", + "__new": "The Red Hat Enterprise Linux operating system must not have the telnet-server package installed." + }, + "desc": { + "__old": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "__new": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled." + }, "descs": { - "check": "Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised. \n\nCheck to see if the telnet-server package is installed with the following command:\n\n# yum list installed telnet-server\n\nIf the telnet-server package is installed, this is a finding.", - "fix": "Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:\n\n# yum remove telnet-server" + "default__deleted": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\n Examples of non-essential capabilities include, but are not limited to,\ngames, software packages, tools, and demonstration software not related to\nrequirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system is configured to disable non-essential\ncapabilities. The most secure way of ensuring a non-essential capability is\ndisabled is to not have the capability installed.\n\n The telnet service provides an unencrypted remote access service that does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session.\n\n If a privileged user were to log on using this service, the privileged user\npassword could be compromised.\n\n Check to see if the telnet-server package is installed with the following\ncommand:\n\n # yum list installed telnet-server\n\n If the telnet-server package is installed, this is a finding.", + "__new": "Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised. \n\nCheck to see if the telnet-server package is installed with the following command:\n\n# yum list installed telnet-server\n\nIf the telnet-server package is installed, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable non-essential capabilities by\nremoving the telnet-server package from the system with the following command:\n\n # yum remove telnet-server", + "__new": "Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:\n\n# yum remove telnet-server" + } } }, "V-72079": { + "describe__deleted": " describe service('auditd') do\n it { should be_running }\n end", "tags": { - "check_id": "C-72311r2_chk", - "severity": "high", - "gid": "V-72079", - "rid": "SV-86703r3_rule", - "stig_id": "RHEL-07-030000", - "gtitle": "SRG-OS-000038-GPOS-00016", - "fix_id": "F-78431r2_fix", - "cci": [ - "CCI-000126", - "CCI-000131" - ], + "check_id__added": "C-72311r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + }, "nist": [ - "AU-2 c", - "AU-3 b" + [ + "-", + "AU-2 d" + ], + [ + "-", + "AU-3" + ], + [ + "+", + "AU-2 c" + ], + [ + "+", + "AU-3 b" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72079" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.", - "desc": "[\"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\\n\\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\\n\\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\\n\\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat auditing is configured to produce records containing information to\nestablish what type of events occurred, where the events occurred, the source\nof the events, and the outcome of the events. These audit records must also\nidentify individual identities of group account users.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." + }, + "desc": { + "__old": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the operating system audit\nlogs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\noperating system.", + "__new": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\n" + }, "descs": { - "check": "Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nCheck to see if auditing is active by issuing the following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding.", - "fix": "Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.\n\nEnable the auditd service with the following command:\n\n# systemctl start auditd.service" + "default__deleted": "Without establishing what type of events occurred, it would be\ndifficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\n Audit record content that may be necessary to satisfy this requirement\nincludes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications,\nfilenames involved, and access control or flow control rules invoked.\n\n Associating event types with detected events in the operating system audit\nlogs provides a means of investigating an attack; recognizing resource\nutilization or capacity thresholds; or identifying an improperly configured\noperating system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system produces audit records containing information\nto establish when (date and time) the events occurred.\n\n Check to see if auditing is active by issuing the following command:\n\n # systemctl is-active auditd.service\n active\n\n If the \"auditd\" status is not active, this is a finding.", + "__new": "Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.\n\nCheck to see if auditing is active by issuing the following command:\n\n# systemctl is-active auditd.service\nactive\n\nIf the \"auditd\" status is not active, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to produce audit records containing\ninformation to establish when (date and time) the events occurred.\n\n Enable the auditd service with the following command:\n\n # systemctl start auditd.service", + "__new": "Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.\n\nEnable the auditd service with the following command:\n\n# systemctl start auditd.service" + } } }, "V-72081": { + "describe__deleted": " monitor_kernel_log = input('monitor_kernel_log')\n\n if auditd.status['failure'].nil?\n impact 0.7\n elsif auditd.status['failure'].match?(%r{^1$}) && !monitor_kernel_log\n impact 0.3\n else\n impact 0.5\n end\n\n if !monitor_kernel_log\n describe auditd.status['failure'] do\n it { should match %r{^2$} }\n end\n else\n describe auditd.status['failure'] do\n it { should match %r{^(1|2)$} }\n end\n end", "tags": { - "check_id": "C-72313r5_chk", - "severity": "medium", - "gid": "V-72081", - "rid": "SV-86705r5_rule", - "stig_id": "RHEL-07-030010", - "gtitle": "SRG-OS-000046-GPOS-00022", - "fix_id": "F-78433r2_fix", - "cci": [ - "CCI-000139" - ], - "nist": [ - "AU-5 a" - ] + "check_id__added": "C-72313r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-86705r4_rule", + "__new": "SV-86705r5_rule" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72081" - ], - "title": "The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.", - "desc": "[\"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\\n\\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\\n\\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\\n\\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must shut down upon\naudit processing failure, unless availability is an overriding concern. If\navailability is a concern, the system must alert the designated staff (System\nAdministrator [SA] and Information System Security Officer [ISSO] at a minimum)\nin the event of an audit processing failure.", + "__new": "The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure." + }, + "desc": { + "__old": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "__new": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\n" + }, + "impact": { + "__old": 0.7, + "__new": 0.5 + }, "descs": { - "check": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command: \n\n# auditctl -s | grep -i \"fail\"\n\nfailure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system is configured to only send information to the kernel log regarding the failure.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.", - "fix": "Configure the operating system to shut down in the event of an audit processing failure.\n\nAdd or correct the option to shut down the operating system with the following command:\n\n# auditctl -f 2\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 2\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:\n\n# auditctl -f 1\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 1\n\nKernel log monitoring must also be configured to properly alert designated staff.\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "It is critical for the appropriate personnel to be aware if a system\nis at risk of failing to process audit logs as required. Without this\nnotification, the security personnel may be unaware of an impending failure of\nthe audit capability, and system operation may be adversely affected.\n\n Audit processing failures include software/hardware errors, failures in the\naudit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\n This requirement applies to each audit data storage repository (i.e.,\ndistinct information system component where audit records are stored), the\ncentralized audit storage capacity of organizations (i.e., all audit data\nstorage repositories combined), or both.", + "rationale__deleted": "", + "check": { + "__old": "Confirm the audit configuration regarding how auditing processing failures\nare handled.\n\n Check to see what level \"auditctl\" is set to with following command:\n\n # auditctl -s | grep -i \"fail\"\n\n failure 2\n\n If the value of \"failure\" is set to \"2\", the system is configured to\npanic (shut down) in the event of an auditing failure.\n\n If the value of \"failure\" is set to \"1\", the system is configured to\nonly send information to the kernel log regarding the failure.\n\n If the \"failure\" setting is not set, this is a CAT I finding.\n\n If the \"failure\" setting is set to any value other than \"1\" or \"2\",\nthis is a CAT II finding.\n\n If the \"failure\" setting is set to \"1\" but the availability concern is\nnot documented or there is no monitoring of the kernel log, this is a CAT III\nfinding.", + "__new": "Confirm the audit configuration regarding how auditing processing failures are handled.\n\nCheck to see what level \"auditctl\" is set to with following command: \n\n# auditctl -s | grep -i \"fail\"\n\nfailure 2\n\nNote: If the value of \"failure\" is set to \"2\", the system is configured to panic (shut down) in the event of an auditing failure. If the value of \"failure\" is set to \"1\", the system is configured to only send information to the kernel log regarding the failure.\n\nIf the \"failure\" setting is set to any value other than \"1\" or \"2\", this is a finding.\n\nIf the \"failure\" setting is not set, this should be upgraded to a CAT I finding.\n\nIf the \"failure\" setting is set to \"1\" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding." + }, + "fix": { + "__old": "Configure the operating system to shut down in the event of an audit\nprocessing failure.\n\n Add or correct the option to shut down the operating system with the\nfollowing command:\n\n # auditctl -f 2\n\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n -f 2\n\n If availability has been determined to be more important, and this decision\nis documented with the ISSO, configure the operating system to notify system\nadministration staff and ISSO staff in the event of an audit processing failure\nwith the following command:\n\n # auditctl -f 1\n\n Edit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n -f 1\n\n Kernel log monitoring must also be configured to properly alert designated\nstaff.\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to shut down in the event of an audit processing failure.\n\nAdd or correct the option to shut down the operating system with the following command:\n\n# auditctl -f 2\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 2\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:\n\n# auditctl -f 1\n\nEdit the \"/etc/audit/rules.d/audit.rules\" file and add the following line:\n\n-f 1\n\nKernel log monitoring must also be configured to properly alert designated staff.\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72083": { + "describe__deleted": " if file('/etc/audisp/audisp-remote.conf').exist?\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('remote_server'.to_s) { should match %r{^\\S+$} }\n its('remote_server'.to_s) { should_not be_in ['localhost', '127.0.0.1'] }\n end\n else\n describe \"File '/etc/audisp/audisp-remote.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audisp-remote.conf' cannot be found. This check must be performed manually\"\n end\n end", "tags": { - "check_id": "C-72315r1_chk", - "severity": "medium", - "gid": "V-72083", - "rid": "SV-86707r2_rule", - "stig_id": "RHEL-07-030300", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78435r1_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72315r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72083" - ], - "title": "The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must off-load audit\nrecords onto a different system or media from the system being audited.", + "__new": "The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\n" + }, "descs": { - "check": "Verify the operating system off-loads audit records onto a different system or media from the system being audited.\n\nTo determine the remote server that the records are being sent to, use the following command:\n\n# grep -i remote_server /etc/audisp/audisp-remote.conf\nremote_server = 10.0.21.1\n\nIf a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.", - "fix": "Configure the operating system to off-load audit records onto a different system or media from the system being audited.\n\nSet the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server." + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system off-loads audit records onto a different system\nor media from the system being audited.\n\n To determine the remote server that the records are being sent to, use the\nfollowing command:\n\n # grep -i remote_server /etc/audisp/audisp-remote.conf\n remote_server = 10.0.21.1\n\n If a remote server is not configured, or the line is commented out, ask the\nSystem Administrator to indicate how the audit logs are off-loaded to a\ndifferent system or media.\n\n If there is no evidence that the audit logs are being off-loaded to another\nsystem or media, this is a finding.", + "__new": "Verify the operating system off-loads audit records onto a different system or media from the system being audited.\n\nTo determine the remote server that the records are being sent to, use the following command:\n\n# grep -i remote_server /etc/audisp/audisp-remote.conf\nremote_server = 10.0.21.1\n\nIf a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to off-load audit records onto a different\nsystem or media from the system being audited.\n\n Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the\nIP address of the log aggregation server.", + "__new": "Configure the operating system to off-load audit records onto a different system or media from the system being audited.\n\nSet the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP address of the log aggregation server." + } } }, "V-72085": { + "describe__deleted": " describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('enable_krb5'.to_s) { should cmp 'yes' }\n end", "tags": { - "check_id": "C-72317r1_chk", - "severity": "medium", - "gid": "V-72085", - "rid": "SV-86709r2_rule", - "stig_id": "RHEL-07-030310", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78437r1_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72317r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72085" - ], - "title": "The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must encrypt the\ntransfer of audit records off-loaded onto a different system or media from the\nsystem being audited.", + "__new": "The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\n" + }, "descs": { - "check": "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.\n\nTo determine if the transfer is encrypted, use the following command:\n\n# grep -i enable_krb5 /etc/audisp/audisp-remote.conf\nenable_krb5 = yes\n\nIf the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.", - "fix": "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.\n\nUncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n\nenable_krb5 = yes" + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system encrypts audit records off-loaded onto a\ndifferent system or media from the system being audited.\n\n To determine if the transfer is encrypted, use the following command:\n\n # grep -i enable_krb5 /etc/audisp/audisp-remote.conf\n enable_krb5 = yes\n\n If the value of the \"enable_krb5\" option is not set to \"yes\" or the\nline is commented out, ask the System Administrator to indicate how the audit\nlogs are off-loaded to a different system or media.\n\n If there is no evidence that the transfer of the audit logs being\noff-loaded to another system or media is encrypted, this is a finding.", + "__new": "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.\n\nTo determine if the transfer is encrypted, use the following command:\n\n# grep -i enable_krb5 /etc/audisp/audisp-remote.conf\nenable_krb5 = yes\n\nIf the value of the \"enable_krb5\" option is not set to \"yes\" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to encrypt the transfer of off-loaded audit\nrecords onto a different system or media from the system being audited.\n\n Uncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\"\nand set it with the following line:\n\n enable_krb5 = yes", + "__new": "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.\n\nUncomment the \"enable_krb5\" option in \"/etc/audisp/audisp-remote.conf\" and set it with the following line:\n\nenable_krb5 = yes" + } } }, "V-72087": { + "describe__deleted": " describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('disk_full_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end\n\n# Test matches ./inspec-profiles/controls/V-73163.rb\n describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end", "tags": { - "check_id": "C-72319r4_chk", - "severity": "medium", - "gid": "V-72087", - "rid": "SV-86711r3_rule", - "stig_id": "RHEL-07-030320", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-78439r4_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-72319r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72087" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.", - "desc": "[\"Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the audit system takes appropriate action when the audit storage volume is\nfull.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full." + }, + "desc": { + "__old": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.", + "__new": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records." + }, "descs": { - "check": "Verify the action the operating system takes if the disk the audit records are written to becomes full.\n\nTo determine the action that takes place if the disk is full on the remote server, use the following command:\n\n# grep -i disk_full_action /etc/audisp/audisp-remote.conf\ndisk_full_action = single\n\nIf the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the action the operating system takes if the disk the audit records are written to becomes full.\n\nUncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\", such as the following line:\n\ndisk_full_action = single" + "default__deleted": "Taking appropriate action in case of a filled audit storage volume\nwill minimize the possibility of losing audit records.", + "rationale__deleted": "", + "check": { + "__old": "Verify the action the operating system takes if the disk the audit records\nare written to becomes full.\n\n To determine the action that takes place if the disk is full on the remote\nserver, use the following command:\n\n # grep -i disk_full_action /etc/audisp/audisp-remote.conf\n disk_full_action = single\n\n If the value of the \"disk_full_action\" option is not \"syslog\",\n\"single\", or \"halt\", or the line is commented out, this is a finding.", + "__new": "Verify the action the operating system takes if the disk the audit records are written to becomes full.\n\nTo determine the action that takes place if the disk is full on the remote server, use the following command:\n\n# grep -i disk_full_action /etc/audisp/audisp-remote.conf\ndisk_full_action = single\n\nIf the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the action the operating system takes if the disk the audit\nrecords are written to becomes full.\n\n Uncomment or edit the \"disk_full_action\" option in\n\"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or\n\"halt\", such as the following line:\n\n disk_full_action = single", + "__new": "Configure the action the operating system takes if the disk the audit records are written to becomes full.\n\nUncomment or edit the \"disk_full_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\", such as the following line:\n\ndisk_full_action = single" + } } }, "V-72089": { + "describe__deleted": " if((f = file(audit_log_dir = command(\"dirname #{auditd_conf.log_file}\").stdout.strip)).directory?)\n # Fetch partition sizes in 1K blocks for consistency\n partition_info = command(\"df -B 1K #{audit_log_dir}\").stdout.split(\"\\n\")\n partition_sz_arr = partition_info.last.gsub(/\\s+/m, ' ').strip.split(\" \")\n\n # Get partition size\n partition_sz = partition_sz_arr[1]\n\n # Convert to MB and get 25%\n exp_space_left = partition_sz.to_i / 1024 / 4\n\n describe auditd_conf do\n its('space_left.to_i') { should be >= exp_space_left }\n end\n else\n describe f.directory? do\n it { should be true }\n end\n end", "tags": { - "check_id": "C-72321r4_chk", - "severity": "medium", - "gid": "V-72089", - "rid": "SV-86713r4_rule", - "stig_id": "RHEL-07-030330", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78441r3_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72321r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72089" - ], - "title": "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.", - "desc": "[\"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must initiate an action\nto notify the System Administrator (SA) and Information System Security Officer\nISSO, at a minimum, when allocated audit record storage volume reaches 75% of\nthe repository maximum audit record storage capacity.", + "__new": "The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity." + }, + "desc": { + "__old": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", + "__new": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion." + }, "descs": { - "check": "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to with the following command:\n\n# grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n0.9G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created for audit records (in this example \"/var/log/audit\" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:\n\n# du -sh \n1.8G /var\n\nDetermine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:\n\n# grep -iw space_left /etc/audit/auditd.conf\nspace_left = 225 \n\nIf the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding.", - "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to: \n\n# grep -iw log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size." + "default__deleted": "If security personnel are not notified immediately when storage volume\nreaches 75 percent utilization, they are unable to plan for audit record\nstorage capacity expansion.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system initiates an action to notify the SA and ISSO\n(at a minimum) when allocated audit record storage volume reaches 75 percent of\nthe repository maximum audit record storage capacity.\n\n Check the system configuration to determine the partition the audit records\nare being written to with the following command:\n\n # grep -iw log_file /etc/audit/auditd.conf\n log_file = /var/log/audit/audit.log\n\n Check the size of the partition that audit records are written to (with the\nexample being \"/var/log/audit/\"):\n\n # df -h /var/log/audit/\n 0.9G /var/log/audit\n\n If the audit records are not being written to a partition specifically\ncreated for audit records (in this example \"/var/log/audit\" is a separate\npartition), determine the amount of space other files in the partition are\ncurrently occupying with the following command:\n\n # du -sh \n 1.8G /var\n\n Determine what the threshold is for the system to take action when 75\npercent of the repository maximum audit record storage capacity is reached:\n\n # grep -iw space_left /etc/audit/auditd.conf\n space_left = 225\n\n If the value of the \"space_left\" keyword is not set to 25 percent of the\ntotal partition size, this is a finding.", + "__new": "Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to with the following command:\n\n# grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n0.9G /var/log/audit\n\nIf the audit records are not being written to a partition specifically created for audit records (in this example \"/var/log/audit\" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:\n\n# du -sh \n1.8G /var\n\nDetermine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:\n\n# grep -iw space_left /etc/audit/auditd.conf\nspace_left = 225 \n\nIf the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to initiate an action to notify the SA and\nISSO (at a minimum) when allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity.\n\n Check the system configuration to determine the partition the audit records\nare being written to:\n\n # grep -iw log_file /etc/audit/auditd.conf\n\n Determine the size of the partition that audit records are written to (with\nthe example being \"/var/log/audit/\"):\n\n # df -h /var/log/audit/\n\n Set the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\"\nto 25 percent of the partition size.", + "__new": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck the system configuration to determine the partition the audit records are being written to: \n\n# grep -iw log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition that audit records are written to (with the example being \"/var/log/audit/\"):\n\n# df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size." + } } }, "V-72091": { + "describe__deleted": " describe auditd_conf do\n its('space_left_action.downcase') { should cmp 'email' }\n end", "tags": { - "check_id": "C-72323r1_chk", - "severity": "medium", - "gid": "V-72091", - "rid": "SV-86715r2_rule", - "stig_id": "RHEL-07-030340", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78443r1_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72323r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72091" - ], - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.", - "desc": "[\"If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must immediately notify\nthe System Administrator (SA) and Information System Security Officer (ISSO)\n(at a minimum) via email when the threshold for the repository maximum audit\nrecord storage capacity is reached.", + "__new": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached." + }, + "desc": { + "__old": "If security personnel are not notified immediately when the threshold\nfor the repository maximum audit record storage capacity is reached, they are\nunable to expand the audit record storage capacity before records are lost.", + "__new": "If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost." + }, "descs": { - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\nIf the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\". \n \nspace_left_action = email" + "default__deleted": "If security personnel are not notified immediately when the threshold\nfor the repository maximum audit record storage capacity is reached, they are\nunable to expand the audit record storage capacity before records are lost.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system immediately notifies the SA and ISSO (at a\nminimum) via email when the allocated audit record storage volume reaches 75\npercent of the repository maximum audit record storage capacity.\n\n Check what action the operating system takes when the threshold for the\nrepository maximum audit record storage capacity is reached with the following\ncommand:\n\n # grep -i space_left_action /etc/audit/auditd.conf\n space_left_action = email\n\n If the value of the \"space_left_action\" keyword is not set to \"email\",\nthis is a finding.", + "__new": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nCheck what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i space_left_action /etc/audit/auditd.conf\nspace_left_action = email\n\nIf the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to immediately notify the SA and ISSO (at a\nminimum) when the threshold for the repository maximum audit record storage\ncapacity is reached.\n\n Uncomment or edit the \"space_left_action\" keyword in\n\"/etc/audit/auditd.conf\" and set it to \"email\".\n\n space_left_action = email", + "__new": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"space_left_action\" keyword in \"/etc/audit/auditd.conf\" and set it to \"email\". \n \nspace_left_action = email" + } } }, "V-72093": { + "describe__deleted": " describe auditd_conf do\n its('action_mail_acct') { should cmp 'root' }\n end", "tags": { - "check_id": "C-72325r4_chk", - "severity": "medium", - "gid": "V-72093", - "rid": "SV-86717r3_rule", - "stig_id": "RHEL-07-030350", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-78445r3_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id__added": "C-72325r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72093" - ], - "title": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.", - "desc": "[\"If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must immediately notify\nthe System Administrator (SA) and Information System Security Officer (ISSO)\n(at a minimum) when the threshold for the repository maximum audit record\nstorage capacity is reached.", + "__new": "The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached." + }, + "desc": { + "__old": "If security personnel are not notified immediately when the threshold\nfor the repository maximum audit record storage capacity is reached, they are\nunable to expand the audit record storage capacity before records are lost.", + "__new": "If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost." + }, "descs": { - "check": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.\n\nCheck what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i action_mail_acct /etc/audit/auditd.conf\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this is a finding.", - "fix": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other accounts associated with security personnel. \n \naction_mail_acct = root" + "default__deleted": "If security personnel are not notified immediately when the threshold\nfor the repository maximum audit record storage capacity is reached, they are\nunable to expand the audit record storage capacity before records are lost.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system immediately notifies the SA and ISSO (at a\nminimum) via email when the threshold for the repository maximum audit record\nstorage capacity is reached.\n\n Check what account the operating system emails when the threshold for the\nrepository maximum audit record storage capacity is reached with the following\ncommand:\n\n # grep -i action_mail_acct /etc/audit/auditd.conf\n action_mail_acct = root\n\n If the value of the \"action_mail_acct\" keyword is not set to \"root\" and\nother accounts for security personnel, this is a finding.", + "__new": "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.\n\nCheck what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:\n\n# grep -i action_mail_acct /etc/audit/auditd.conf\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to immediately notify the SA and ISSO (at a\nminimum) when the threshold for the repository maximum audit record storage\ncapacity is reached.\n\n Uncomment or edit the \"action_mail_acct\" keyword in\n\"/etc/audit/auditd.conf\" and set it to root and any other accounts associated\nwith security personnel.\n\n action_mail_acct = root", + "__new": "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.\n\nUncomment or edit the \"action_mail_acct\" keyword in \"/etc/audit/auditd.conf\" and set it to root and any other accounts associated with security personnel. \n \naction_mail_acct = root" + } } }, "V-72095": { + "describe__deleted": " # All execve calls should use 'always,exit'\n describe auditd.syscall('execve') do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n # Work with the SUID rules\n describe auditd.syscall('execve').where { fields.include?('euid=0') } do\n its ('arch.uniq') { should include 'b32' }\n its ('arch.uniq') { should include 'b64' }\n end\n\n # Work with the SGID rules\n describe auditd.syscall('execve').where { fields.include?('egid=0') } do\n its ('arch.uniq') { should include 'b32' }\n its ('arch.uniq') { should include 'b64' }\n end", "tags": { - "check_id": "C-72327r7_chk", - "severity": "medium", - "gid": "V-72095", - "rid": "SV-86719r7_rule", - "stig_id": "RHEL-07-030360", - "gtitle": "SRG-OS-000327-GPOS-00127", - "fix_id": "F-78447r9_fix", - "cci": [ - "CCI-002234" - ], - "nist": [ - "AC-6 (9)" - ] + "check_id__added": "C-72327r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72095" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.", - "desc": "[\"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all\nexecutions of privileged functions.", + "__new": "The Red Hat Enterprise Linux operating system must audit all executions of privileged functions." + }, + "desc": { + "__old": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "__new": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat." + }, "descs": { - "check": "Verify the operating system audits the execution of privileged functions using the following command:\n\n# grep -iw execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", - "fix": "Configure the operating system to audit the execution of privileged functions.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Misuse of privileged functions, either intentionally or\nunintentionally by authorized users, or by unauthorized external entities that\nhave compromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use of\nprivileged functions is one way to detect such misuse and identify the risk\nfrom insider threats and the advanced persistent threat.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system audits the execution of privileged functions\nusing the following command:\n\n # grep -iw execve /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\n\n If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not\ndefined, this is a finding.\n\n If both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not\ndefined, this is a finding.", + "__new": "Verify the operating system audits the execution of privileged functions using the following command:\n\n# grep -iw execve /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to audit the execution of privileged\nfunctions.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to audit the execution of privileged functions.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72097": { + "describe__deleted": " describe auditd.syscall(\"chown\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"chown\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72329r8_chk", - "severity": "medium", - "gid": "V-72097", - "rid": "SV-86721r5_rule", - "stig_id": "RHEL-07-030370", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78449r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], + "check_id__added": "C-72329r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72097" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe chown syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\" syscall, this is a finding.", - "fix": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"chown\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw chown /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"chown\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw chown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\" syscall, this is a finding." + }, + "fix": { + "__old": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72099": { + "describe__deleted": " describe auditd.syscall(\"fchown\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fchown\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72331r9_chk", - "severity": "medium", - "gid": "V-72099", - "rid": "SV-86723r5_rule", - "stig_id": "RHEL-07-030380", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78451r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], + "check_id__added": "C-72331r9_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72099" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fchown syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchown\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fchown\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw fchown /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fchown\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchown\" syscall, this is a finding." + }, + "fix": { + "__old": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72101": { + "describe__deleted": " describe auditd.syscall(\"lchown\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"lchown\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72333r8_chk", - "severity": "medium", - "gid": "V-72101", - "rid": "SV-86725r5_rule", - "stig_id": "RHEL-07-030390", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78453r8_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], + "check_id__added": "C-72333r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72101" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe lchown syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lchown\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"lchown\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw lchown /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"lchown\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lchown\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lchown /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lchown\" syscall, this is a finding." + }, + "fix": { + "__old": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72103": { + "describe__deleted": " describe auditd.syscall(\"fchownat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fchownat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72335r8_chk", - "severity": "medium", - "gid": "V-72103", - "rid": "SV-86727r5_rule", - "stig_id": "RHEL-07-030400", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78455r7_fix", - "cci": [ - "CCI-000126", - "CCI-000172" - ], + "check_id__added": "C-72335r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72103" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fchownat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchownat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchownat\" syscall, this is a finding.", - "fix": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." - } - }, - "V-72105": { - "tags": { - "check_id": "C-72337r7_chk", - "severity": "medium", - "gid": "V-72105", - "rid": "SV-86729r5_rule", - "stig_id": "RHEL-07-030410", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78457r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fchownat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw fchownat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fchownat\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchownat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fchownat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchownat\" syscall, this is a finding." + }, + "fix": { + "__old": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } + } + }, + "V-72105": { + "describe__deleted": " describe auditd.syscall(\"chmod\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"chmod\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", + "tags": { + "check_id__added": "C-72337r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72105" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe chmod syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing command:\n\n # grep -iw chmod /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"chmod\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw chmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72107": { + "describe__deleted": " describe auditd.syscall(\"fchmod\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fchmod\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72339r7_chk", - "severity": "medium", - "gid": "V-72107", - "rid": "SV-86731r5_rule", - "stig_id": "RHEL-07-030420", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78459r9_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72339r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72107" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fchmod syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmod\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing command:\n\n # grep -iw fchmod /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fchmod\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmod /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmod\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmod\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72109": { + "describe__deleted": " describe auditd.syscall(\"fchmodat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fchmodat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72341r8_chk", - "severity": "medium", - "gid": "V-72109", - "rid": "SV-86733r5_rule", - "stig_id": "RHEL-07-030430", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78461r8_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72341r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72109" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fchmodat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmodat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing command:\n\n # grep -iw fchmodat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fchmodat\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw fchmodat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fchmodat\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmodat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72111": { + "describe__deleted": " describe auditd.syscall(\"setxattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"setxattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72343r8_chk", - "severity": "medium", - "gid": "V-72111", - "rid": "SV-86735r5_rule", - "stig_id": "RHEL-07-030440", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78463r8_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72343r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72111" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe setxattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw setxattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"setxattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw setxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k\nperm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72113": { + "describe__deleted": " describe auditd.syscall(\"fsetxattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fsetxattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72345r7_chk", - "severity": "medium", - "gid": "V-72113", - "rid": "SV-86737r5_rule", - "stig_id": "RHEL-07-030450", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78465r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72345r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72113" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fsetxattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fsetxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw fsetxattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fsetxattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fsetxattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72115": { + "describe__deleted": " describe auditd.syscall(\"lsetxattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"lsetxattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72347r7_chk", - "severity": "medium", - "gid": "V-72115", - "rid": "SV-86739r5_rule", - "stig_id": "RHEL-07-030460", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78467r10_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72347r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72115" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe lsetxattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lsetxattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw lsetxattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"lsetxattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lsetxattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lsetxattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lsetxattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72117": { + "describe__deleted": " describe auditd.syscall(\"removexattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"removexattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72349r7_chk", - "severity": "medium", - "gid": "V-72117", - "rid": "SV-86741r5_rule", - "stig_id": "RHEL-07-030470", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78469r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72349r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72117" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe removexattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"removexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw removexattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"removexattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw removexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"removexattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295\n-k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"removexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72119": { + "describe__deleted": " describe auditd.syscall(\"fremovexattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"fremovexattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72351r6_chk", - "severity": "medium", - "gid": "V-72119", - "rid": "SV-86743r5_rule", - "stig_id": "RHEL-07-030480", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78471r6_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72351r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72119" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe fremovexattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fremovexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw fremovexattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"fremovexattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw fremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"fremovexattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72121": { + "describe__deleted": " describe auditd.syscall(\"lremovexattr\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"lremovexattr\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72353r7_chk", - "severity": "medium", - "gid": "V-72121", - "rid": "SV-86745r5_rule", - "stig_id": "RHEL-07-030490", - "gtitle": "SRG-OS-000458-GPOS-00203", - "fix_id": "F-78473r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72353r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72121" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe lremovexattr syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lremovexattr\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw lremovexattr /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"lremovexattr\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw lremovexattr /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"lremovexattr\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F\nauid!=4294967295 -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lremovexattr\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72123": { + "describe__deleted": " describe auditd.syscall(\"creat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"creat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n\n if os.arch == 'x86_64'\n describe auditd.syscall(\"creat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"creat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72355r7_chk", - "severity": "medium", - "gid": "V-72123", - "rid": "SV-86747r5_rule", - "stig_id": "RHEL-07-030500", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78475r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72355r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72123" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe creat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules:\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"creat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw creat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"creat\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw creat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"creat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"creat\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules:\n\n -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"creat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules:\n\n-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72125": { + "describe__deleted": " describe auditd.syscall(\"open\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"open\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n\n if os.arch == 'x86_64'\n describe auditd.syscall(\"open\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"open\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72357r7_chk", - "severity": "medium", - "gid": "V-72125", - "rid": "SV-86749r5_rule", - "stig_id": "RHEL-07-030510", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78477r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72357r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72125" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe open syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the open syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"open\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw open /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"open\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"open\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72127": { + "describe__deleted": " describe auditd.syscall(\"openat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"openat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"openat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"openat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72359r8_chk", - "severity": "medium", - "gid": "V-72127", - "rid": "SV-86751r5_rule", - "stig_id": "RHEL-07-030520", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78479r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72359r8_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72127" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe openat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"openat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"openat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw openat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"openat\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw openat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"openat\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"openat\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"openat\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72129": { + "describe__deleted": " describe auditd.syscall(\"open_by_handle_at\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"open_by_handle_at\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"open_by_handle_at\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"open_by_handle_at\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72361r7_chk", - "severity": "medium", - "gid": "V-72129", - "rid": "SV-86753r5_rule", - "stig_id": "RHEL-07-030530", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78481r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72361r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72129" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe open_by_handle_at syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open_by_handle_at\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw open_by_handle_at /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"open_by_handle_at\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw open_by_handle_at /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"open_by_handle_at\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72131": { + "describe__deleted": " describe auditd.syscall(\"truncate\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"truncate\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"truncate\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"truncate\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72363r6_chk", - "severity": "medium", - "gid": "V-72131", - "rid": "SV-86755r5_rule", - "stig_id": "RHEL-07-030540", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78483r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72363r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72131" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe truncate syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"truncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw truncate /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"truncate\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw truncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"truncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"truncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72133": { + "describe__deleted": " describe auditd.syscall(\"ftruncate\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"ftruncate\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"ftruncate\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall(\"ftruncate\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end", "tags": { - "check_id": "C-72365r7_chk", - "severity": "medium", - "gid": "V-72133", - "rid": "SV-86757r5_rule", - "stig_id": "RHEL-07-030550", - "gtitle": "SRG-OS-000064-GPOS-00033", - "fix_id": "F-78485r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72365r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72133" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe ftruncate syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"ftruncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw ftruncate /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"ftruncate\" syscall, this is a finding.\n\n If the output does not produce rules containing \"-F exit=-EPERM\", this is\na finding.\n\n If the output does not produce rules containing \"-F exit=-EACCES\", this\nis a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw ftruncate /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"ftruncate\" syscall, this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EPERM\", this is a finding.\n\nIf the output does not produce rules containing \"-F exit=-EACCES\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F\nauid!=4294967295 -k access\n\n -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F\nauid!=4294967295 -k access\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ftruncate\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72135": { + "describe__deleted": " audit_file = '/usr/sbin/semanage'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72367r6_chk", - "severity": "medium", - "gid": "V-72135", - "rid": "SV-86759r4_rule", - "stig_id": "RHEL-07-030560", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78487r5_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72367r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72135" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe semanage command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the semanage command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/semanage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"semanage\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/sbin/semanage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295\n-k privileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/semanage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"semanage\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72137": { + "describe__deleted": " audit_file = '/usr/sbin/setsebool'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72369r5_chk", - "severity": "medium", - "gid": "V-72137", - "rid": "SV-86761r4_rule", - "stig_id": "RHEL-07-030570", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78489r6_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72369r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72137" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe setsebool command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"setsebool\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F\nauid!=4294967295 -k privileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/setsebool /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"setsebool\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F\nauid!=4294967295 -k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72139": { + "describe__deleted": " audit_file = '/usr/bin/chcon'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72371r5_chk", - "severity": "medium", - "gid": "V-72139", - "rid": "SV-86763r4_rule", - "stig_id": "RHEL-07-030580", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78491r6_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72371r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72139" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe chcon command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the chcon command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"chcon\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/bin/chcon /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chcon /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"chcon\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72141": { + "describe__deleted": " audit_file = '/usr/sbin/setfiles'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72373r7_chk", - "severity": "medium", - "gid": "V-72141", - "rid": "SV-86765r5_rule", - "stig_id": "RHEL-07-030590", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78493r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72373r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72141" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe setfiles command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"setfiles\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295\n-k privileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"setfiles\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295\n-k privileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72145": { + "describe__deleted": " audit_file = '/var/run/faillock'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72377r3_chk", - "severity": "medium", - "gid": "V-72145", - "rid": "SV-86769r4_rule", - "stig_id": "RHEL-07-030610", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78497r4_fix", - "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72377r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72145" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all unsuccessful account access events.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when unsuccessful account access events occur. \n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/run/faillock /etc/audit/audit.rules\n\n-w /var/run/faillock -p wa -k logins\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when unsuccessful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/run/faillock -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when unsuccessful\naccount access events occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommands:\n\n # grep -i /var/run/faillock /etc/audit/audit.rules\n\n -w /var/run/faillock -p wa -k logins\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when unsuccessful account access events occur. \n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/run/faillock /etc/audit/audit.rules\n\n-w /var/run/faillock -p wa -k logins\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when unsuccessful\naccount access events occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /var/run/faillock -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when unsuccessful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/run/faillock -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72147": { + "describe__deleted": " audit_file = '/var/log/lastlog'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72379r3_chk", - "severity": "medium", - "gid": "V-72147", - "rid": "SV-86771r3_rule", - "stig_id": "RHEL-07-030620", - "gtitle": "SRG-OS-000392-GPOS-00172", - "fix_id": "F-78499r3_fix", - "cci": [ - "CCI-000126", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72379r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-2 d" + ], + [ + "+", + "AU-2 c" + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72147" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all successful account access events.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful account access events occur. \n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/log/lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when successful account\naccess events occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -i /var/log/lastlog /etc/audit/audit.rules\n\n -w /var/log/lastlog -p wa -k logins\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful account access events occur. \n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands: \n\n# grep -i /var/log/lastlog /etc/audit/audit.rules\n\n-w /var/log/lastlog -p wa -k logins \n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when successful\naccount access events occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /var/log/lastlog -p wa -k logins\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful account access events occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-w /var/log/lastlog -p wa -k logins\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72149": { + "describe__deleted": " audit_file = '/usr/bin/passwd'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72381r6_chk", - "severity": "medium", - "gid": "V-72149", - "rid": "SV-86773r5_rule", - "stig_id": "RHEL-07-030630", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78501r6_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72381r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72149" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe passwd command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the passwd command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"passwd\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/bin/passwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k\nprivileged-passwd\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/passwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"passwd\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k\nprivileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72151": { + "describe__deleted": " audit_file = '/usr/sbin/unix_chkpwd'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72383r6_chk", - "severity": "medium", - "gid": "V-72151", - "rid": "SV-86775r5_rule", - "stig_id": "RHEL-07-030640", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78503r8_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72383r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72151" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe unix_chkpwd command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72153": { + "describe__deleted": " audit_file = '/usr/bin/gpasswd'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72385r5_chk", - "severity": "medium", - "gid": "V-72153", - "rid": "SV-86777r5_rule", - "stig_id": "RHEL-07-030650", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78505r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72385r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72153" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe gpasswd command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/bin/gpasswd /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295\n-k privileged-passwd\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/gpasswd /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295\n-k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72155": { + "describe__deleted": " audit_file = '/usr/bin/chage'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72387r5_chk", - "severity": "medium", - "gid": "V-72155", - "rid": "SV-86779r5_rule", - "stig_id": "RHEL-07-030660", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78507r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72387r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72155" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chage command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe chage command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the chage command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"chage\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/bin/chage /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k\nprivileged-passwd\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/bin/chage /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"chage\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k\nprivileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72157": { + "describe__deleted": " audit_file = '/usr/sbin/userhelper'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72389r6_chk", - "severity": "medium", - "gid": "V-72157", - "rid": "SV-86781r5_rule", - "stig_id": "RHEL-07-030670", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78509r5_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72389r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72157" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe userhelper command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/userhelper /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged password commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"userhelper\" command occur.\n\n Check the file system rule in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -i /usr/sbin/userhelper /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nCheck the file system rule in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -i /usr/sbin/userhelper /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"userhelper\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F\nauid!=4294967295 -k privileged-passwd\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72159": { + "describe__deleted": " audit_file = '/usr/bin/su'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72391r6_chk", - "severity": "medium", - "gid": "V-72159", - "rid": "SV-86783r5_rule", - "stig_id": "RHEL-07-030680", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78511r6_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72391r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-3" + ], + [ + "+", + "AU-3 a" + ], + [ + " " + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72159" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the su command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe su command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the su command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/bin/su /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/su /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72161": { + "describe__deleted": " audit_file = '/usr/bin/sudo'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72393r5_chk", - "severity": "medium", - "gid": "V-72161", - "rid": "SV-86785r4_rule", - "stig_id": "RHEL-07-030690", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78513r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72393r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-3" + ], + [ + "+", + "AU-3 a" + ], + [ + " " + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72161" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe sudo command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"sudo\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/bin/sudo /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/sudo /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"sudo\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change \n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72163": { + "describe__deleted": " audit_files = ['/etc/sudoers', '/etc/sudoers.d']\n\n if audit_files.any? { |audit_file| file(audit_file).exist? }\n impact 0.5\n else\n impact 0.0\n end\n\n audit_files.each do |audit_file|\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n end\n\n describe \"The #{audit_files} files do not exist\" do\n skip \"The #{audit_files} files do not exist, this requirement is Not Applicable.\"\n end if !audit_files.any? { |audit_file| file(audit_file).exist? }", "tags": { - "check_id": "C-72397r6_chk", - "severity": "medium", - "gid": "V-72163", - "rid": "SV-86787r5_rule", - "stig_id": "RHEL-07-030700", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78517r6_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72397r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-3" + ], + [ + "+", + "AU-3 a" + ], + [ + " " + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72163" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe sudoers file and all files in the /etc/sudoers.d/ directory.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory. \n\nCheck for modification of the following files being audited by performing the following commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n# grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nIf the commands do not return output that match the examples, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to access the \"/etc/sudoers\" file and files\nin the \"/etc/sudoers.d/\" directory.\n\n Check for modification of the following files being audited by performing\nthe following commands to check the file system rules in\n\"/etc/audit/audit.rules\":\n\n # grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n\n -w /etc/sudoers -p wa -k privileged-actions\n\n # grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n\n If the commands do not return output that match the examples, this is a\nfinding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory. \n\nCheck for modification of the following files being audited by performing the following commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i \"/etc/sudoers\" /etc/audit/audit.rules\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n# grep -i \"/etc/sudoers.d/\" /etc/audit/audit.rules\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nIf the commands do not return output that match the examples, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to access the \"/etc/sudoers\" file and files\nin the \"/etc/sudoers.d/\" directory.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/sudoers -p wa -k privileged-actions\n\n -w /etc/sudoers.d/ -p wa -k privileged-actions\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n-w /etc/sudoers.d/ -p wa -k privileged-actions\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72165": { + "describe__deleted": " audit_file = '/usr/bin/newgrp'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72399r5_chk", - "severity": "medium", - "gid": "V-72165", - "rid": "SV-86789r4_rule", - "stig_id": "RHEL-07-030710", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78519r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72399r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-3" + ], + [ + "+", + "AU-3 a" + ], + [ + " " + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72165" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe newgrp command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"newgrp\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -i /usr/bin/newgrp /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/newgrp /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"newgrp\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72167": { + "describe__deleted": " audit_file = '/usr/bin/chsh'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72401r5_chk", - "severity": "medium", - "gid": "V-72167", - "rid": "SV-86791r4_rule", - "stig_id": "RHEL-07-030720", - "gtitle": "SRG-OS-000037-GPOS-00015", - "fix_id": "F-78521r5_fix", - "cci": [ - "CCI-000130", - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], + "check_id__added": "C-72401r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + [ + "-", + "AU-3" + ], + [ + "+", + "AU-3 a" + ], + [ + " " + ], + [ + " " + ], + [ + " " + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72167" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe chsh command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the chsh command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged access commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"chsh\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -i /usr/bin/chsh /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -i /usr/bin/chsh /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"chsh\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k\nprivileged-priv_change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72171": { + "describe__deleted": " describe auditd.syscall(\"mount\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n if os.arch == 'x86_64'\n describe auditd.syscall(\"mount\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n\n describe auditd.path(\"/usr/bin/mount\") do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end", "tags": { - "check_id": "C-72405r11_chk", - "severity": "medium", - "gid": "V-72171", - "rid": "SV-86795r7_rule", - "stig_id": "RHEL-07-030740", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78525r9_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72405r11_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72171" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe mount command and syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged mount commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged mount commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\n Check that the following system call is being audited by performing the\nfollowing series of commands to check the file system rules in\n\"/etc/audit/audit.rules\":\n\n # grep -iw \"mount\" /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"mount\" syscall, this is a finding.\n\n If all uses of the \"mount\" command are not being audited, this is a\nfinding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"mount\" /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nIf all uses of the \"mount\" command are not being audited, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command and syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72173": { + "describe__deleted": " audit_file = '/bin/umount'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72407r6_chk", - "severity": "medium", - "gid": "V-72173", - "rid": "SV-86797r5_rule", - "stig_id": "RHEL-07-030750", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78527r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72407r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72173" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the umount command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe umount command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the umount command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged mount commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged mount commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"umount\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing series of commands to check the file system rules in\n\"/etc/audit/audit.rules\":\n\n # grep -iw \"/usr/bin/umount\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nCheck that the following system call is being audited by performing the following series of commands to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw \"/usr/bin/umount\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount \n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"umount\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k\nprivileged-mount\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72175": { + "describe__deleted": " audit_file = '/usr/sbin/postdrop'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72409r5_chk", - "severity": "medium", - "gid": "V-72175", - "rid": "SV-86799r4_rule", - "stig_id": "RHEL-07-030760", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78529r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72409r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72175" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe postdrop command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged postfix commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged postfix commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"postdrop\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/sbin/postdrop /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295\n-k privileged-postfix\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"postdrop\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295\n-k privileged-postfix\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72177": { + "describe__deleted": " audit_file = '/usr/sbin/postqueue'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72411r4_chk", - "severity": "medium", - "gid": "V-72177", - "rid": "SV-86801r3_rule", - "stig_id": "RHEL-07-030770", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78531r5_fix", - "cci": [ - "CCI-000135", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72411r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72177" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe postqueue command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged postfix commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged postfix commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"postqueue\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/sbin/postqueue /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F\nauid!=4294967295 -k privileged-postfix\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"postqueue\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F\nauid!=4294967295 -k privileged-postfix\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72179": { + "describe__deleted": " audit_file = '/usr/libexec/openssh/ssh-keysign'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72413r4_chk", - "severity": "medium", - "gid": "V-72179", - "rid": "SV-86803r3_rule", - "stig_id": "RHEL-07-030780", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78533r4_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72413r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72179" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe ssh-keysign command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged ssh commands. The organization must maintain audit trails in\nsufficient detail to reconstruct events to determine the cause and impact of\ncompromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"ssh-keysign\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F\nauid!=4294967295 -k privileged-ssh\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72183": { + "describe__deleted": " audit_file = '/usr/bin/crontab'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72417r4_chk", - "severity": "medium", - "gid": "V-72183", - "rid": "SV-86807r3_rule", - "stig_id": "RHEL-07-030800", - "gtitle": "SRG-OS-000042-GPOS-00020", - "fix_id": "F-78537r4_fix", - "cci": [ - "CCI-000135", - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72417r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72183" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.", - "desc": "[\"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\\n\\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\\n\\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe crontab command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the crontab command." + }, + "desc": { + "__old": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "__new": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Reconstruction of harmful events or forensic analysis is not possible\nif audit records do not contain enough information.\n\n At a minimum, the organization must audit the full-text recording of\nprivileged commands. The organization must maintain audit trails in sufficient\ndetail to reconstruct events to determine the cause and impact of compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"crontab\" command occur.\n\n Check that the following system call is being audited by performing the\nfollowing command to check the file system rules in \"/etc/audit/audit.rules\":\n\n # grep -iw /usr/bin/crontab /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295\n-k privileged-cron\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nCheck that the following system call is being audited by performing the following command to check the file system rules in \"/etc/audit/audit.rules\": \n\n# grep -iw /usr/bin/crontab /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"crontab\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295\n-k privileged-cron\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72185": { + "describe__deleted": " audit_file = '/sbin/pam_timestamp_check'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72419r5_chk", - "severity": "medium", - "gid": "V-72185", - "rid": "SV-86809r4_rule", - "stig_id": "RHEL-07-030810", - "gtitle": "SRG-OS-000471-GPOS-00215", - "fix_id": "F-78539r4_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72419r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72185" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe pam_timestamp_check command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam \n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"pam_timestamp_check\" command\noccur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw \"/usr/sbin/pam_timestamp_check\" /etc/audit/audit.rules\n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam \n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"pam_timestamp_check\" command\noccur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F\nauid!=4294967295 -k privileged-pam\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72187": { + "describe__deleted": " describe auditd.syscall(\"init_module\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"init_module\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72421r6_chk", - "severity": "medium", - "gid": "V-72187", - "rid": "SV-86811r5_rule", - "stig_id": "RHEL-07-030820", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78541r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72421r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72187" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe init_module syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw init_module /etc/audit/audit.rules \n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"init_module\" syscall occur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw init_module /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S init_module -k module-change\n\n -a always,exit -F arch=b64 -S init_module -k module-change\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"init_module\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw init_module /etc/audit/audit.rules \n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"init_module\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"init_module\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S init_module -k module-change\n\n -a always,exit -F arch=b64 -S init_module -k module-change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"init_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module -k module-change\n\n-a always,exit -F arch=b64 -S init_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72189": { + "describe__deleted": " describe auditd.syscall(\"delete_module\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"delete_module\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72423r6_chk", - "severity": "medium", - "gid": "V-72189", - "rid": "SV-86813r5_rule", - "stig_id": "RHEL-07-030830", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78543r7_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72423r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72189" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe delete_module syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw delete_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw delete_module /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S delete_module -k module-change\n\n -a always,exit -F arch=b64 -S delete_module -k module-change\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"delete_module\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw delete_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S delete_module -k module-change\n\n -a always,exit -F arch=b64 -S delete_module -k module-change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S delete_module -k module-change\n\n-a always,exit -F arch=b64 -S delete_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72191": { + "describe__deleted": " audit_file = '/usr/bin/kmod'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should include ['x'] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72425r7_chk", - "severity": "medium", - "gid": "V-72191", - "rid": "SV-86815r5_rule", - "stig_id": "RHEL-07-030840", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-78545r10_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-72425r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72191" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe kmod command.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the kmod command." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw kmod /etc/audit/audit.rules\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"kmod\" command occur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw kmod /etc/audit/audit.rules\n\n -w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\n If the command does not return any output, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw kmod /etc/audit/audit.rules\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nIf the command does not return any output, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"kmod\" command occur.\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"kmod\" command occur. \n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72197": { + "describe__deleted": " audit_file = '/etc/passwd'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-72431r5_chk", - "severity": "medium", - "gid": "V-72197", - "rid": "SV-86821r5_rule", - "stig_id": "RHEL-07-030870", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-78551r4_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-72431r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72197" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all account creations, modifications, disabling, and termination\nevents that affect /etc/passwd.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or update the following rule \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/passwd\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep /etc/passwd /etc/audit/audit.rules\n\n -w /etc/passwd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "__new": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/passwd /etc/audit/audit.rules\n\n-w /etc/passwd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/passwd\".\n\n Add or update the following rule \"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/passwd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or update the following rule \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/passwd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72199": { + "describe__deleted": " describe auditd.syscall(\"rename\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"rename\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72433r6_chk", - "severity": "medium", - "gid": "V-72199", - "rid": "SV-86823r5_rule", - "stig_id": "RHEL-07-030880", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78553r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72433r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72199" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe rename syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall." + }, + "desc": { + "__old": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "__new": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rename /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rename\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"rename\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw rename /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"rename\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rename /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rename\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"rename\" syscall occur.\n\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rename\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72201": { + "describe__deleted": " describe auditd.syscall(\"renameat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"renameat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72435r7_chk", - "severity": "medium", - "gid": "V-72201", - "rid": "SV-86825r5_rule", - "stig_id": "RHEL-07-030890", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78555r8_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72435r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72201" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe renameat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall." + }, + "desc": { + "__old": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "__new": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw renameat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"renameat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw renameat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"renameat\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw renameat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"renameat\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"renameat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72203": { + "describe__deleted": " describe auditd.syscall(\"rmdir\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"rmdir\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72437r6_chk", - "severity": "medium", - "gid": "V-72203", - "rid": "SV-86827r5_rule", - "stig_id": "RHEL-07-030900", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78557r9_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72437r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72203" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe rmdir syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall." + }, + "desc": { + "__old": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "__new": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rmdir /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rmdir\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw rmdir /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"rmdir\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw rmdir /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"rmdir\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rmdir\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72205": { + "describe__deleted": " describe auditd.syscall(\"unlink\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"unlink\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72439r6_chk", - "severity": "medium", - "gid": "V-72205", - "rid": "SV-86829r5_rule", - "stig_id": "RHEL-07-030910", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78559r7_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72439r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72205" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe unlink syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall." + }, + "desc": { + "__old": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "__new": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlink /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw unlink /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"unlink\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlink /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlink\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72207": { + "describe__deleted": " describe auditd.syscall(\"unlinkat\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"unlinkat\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-72441r7_chk", - "severity": "medium", - "gid": "V-72207", - "rid": "SV-86831r5_rule", - "stig_id": "RHEL-07-030920", - "gtitle": "SRG-OS-000466-GPOS-00210", - "fix_id": "F-78561r10_fix", - "cci": [ - "CCI-000172", - "CCI-002884" - ], - "nist": [ - "AU-12 c", - "MA-4 (1) (a)" - ] + "check_id__added": "C-72441r7_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72207" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.", - "desc": "[\"If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\\n\\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe unlinkat syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall." + }, + "desc": { + "__old": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "__new": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlinkat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlinkat\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "If the system is not configured to audit certain activities and write\nthem to an audit log, it is more difficult to detect and track system\ncompromises and damages incurred during a system compromise.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\n Check the file system rules in \"/etc/audit/audit.rules\" with the\nfollowing commands:\n\n # grep -iw unlinkat /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"unlinkat\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nCheck the file system rules in \"/etc/audit/audit.rules\" with the following commands:\n\n# grep -iw unlinkat /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlinkat\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\n Add the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k\ndelete\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlinkat\" syscall occur.\n\nAdd the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-72209": { + "describe__deleted": " if input('alternate_logs')\n describe \"An alternate logging system is used. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"An alternate logging system is used. This check must be performed manually\"\n end\n else\n describe command(\"grep @ #{input('log_pkg_path')} | grep -v \\\"^#\\\"\") do\n its('stdout.strip') { should_not be_empty }\n end\n end", "tags": { - "check_id": "C-72443r2_chk", - "severity": "medium", - "gid": "V-72209", - "rid": "SV-86833r2_rule", - "stig_id": "RHEL-07-031000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78563r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72443r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72209" - ], - "title": "The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.", - "desc": "[\"Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must send rsyslog output\nto a log aggregation server.", + "__new": "The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server." + }, + "desc": { + "__old": "Sending rsyslog output to another system ensures that the logs cannot\nbe removed or modified in the event that the system is compromised or has a\nhardware failure.", + "__new": "Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure." + }, "descs": { - "check": "Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n\n# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n*.* @@logagg.site.mil\n\nIf there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to send all \"rsyslog\" output to a log aggregation system:\n*.* @@" + "default__deleted": "Sending rsyslog output to another system ensures that the logs cannot\nbe removed or modified in the event that the system is compromised or has a\nhardware failure.", + "rationale__deleted": "", + "check": { + "__old": "Verify \"rsyslog\" is configured to send all messages to a log aggregation\nserver.\n\n Check the configuration of \"rsyslog\" with the following command:\n\n Note: If another logging package is used, substitute the utility\nconfiguration file for \"/etc/rsyslog.conf\".\n\n # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n *.* @@logagg.site.mil\n\n If there are no lines in the \"/etc/rsyslog.conf\" or\n\"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\" symbol(s), and\nthe lines with the correct symbol(s) to send output to another system do not\ncover all \"rsyslog\" output, ask the System Administrator to indicate how the\naudit logs are off-loaded to a different system or media.\n\n If the lines are commented out or there is no evidence that the audit logs\nare being sent to another system, this is a finding.", + "__new": "Verify \"rsyslog\" is configured to send all messages to a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\".\n\n# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n*.* @@logagg.site.mil\n\nIf there are no lines in the \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files that contain the \"@\" or \"@@\" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all \"rsyslog\" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. \n\nIf the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding." + }, + "fix": { + "__old": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to\ncontain a configuration line to send all \"rsyslog\" output to a log\naggregation system:\n *.* @@", + "__new": "Modify the \"/etc/rsyslog.conf\" or an \"/etc/rsyslog.d/*.conf\" file to contain a configuration line to send all \"rsyslog\" output to a log aggregation system:\n*.* @@" + } } }, "V-72211": { + "describe__deleted": " log_aggregation_server = input('log_aggregation_server')\n\n if log_aggregation_server\n describe file('/etc/rsyslog.conf') do\n its('content') { should match %r{^\\$ModLoad\\s+imtcp.*\\n?$} }\n end\n else\n describe.one do\n describe file('/etc/rsyslog.conf') do\n its('content') { should match %r{\\$ModLoad\\s+imtcp.*\\n?$} }\n end\n describe file('/etc/rsyslog.conf') do\n its('content') { should_not match %r{^\\$ModLoad\\s+imtcp.*\\n?$} }\n end\n end\n end", "tags": { - "check_id": "C-72445r2_chk", - "severity": "medium", - "gid": "V-72211", - "rid": "SV-86835r2_rule", - "stig_id": "RHEL-07-031010", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78565r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72445r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72211" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.", - "desc": "[\"Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.\\n\\nIf the system is intended to be a log aggregation server its use must be documented with the ISSO.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the rsyslog daemon does not accept log messages from other servers unless\nthe server is being used for log aggregation.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation." + }, + "desc": { + "__old": "Unintentionally running a rsyslog server accepting remote messages\nputs the system at increased risk. Malicious rsyslog messages sent to the\nserver could exploit vulnerabilities in the server software itself, could\nintroduce misleading information in to the system's logs, or could fill the\nsystem's storage leading to a Denial of Service.\n\n If the system is intended to be a log aggregation server its use must be\ndocumented with the ISSO.", + "__new": "Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.\n\nIf the system is intended to be a log aggregation server its use must be documented with the ISSO." + }, "descs": { - "check": "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is documented as a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\n# grep imtcp /etc/rsyslog.conf\n$ModLoad imtcp\n# grep imudp /etc/rsyslog.conf\n$ModLoad imudp\n# grep imrelp /etc/rsyslog.conf\n$ModLoad imrelp\n\nIf any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the system being used for log aggregation.\n\nIf the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.", - "fix": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad imrelp\" configuration lines, or document the system as being used for log aggregation." + "default__deleted": "Unintentionally running a rsyslog server accepting remote messages\nputs the system at increased risk. Malicious rsyslog messages sent to the\nserver could exploit vulnerabilities in the server software itself, could\nintroduce misleading information in to the system's logs, or could fill the\nsystem's storage leading to a Denial of Service.\n\n If the system is intended to be a log aggregation server its use must be\ndocumented with the ISSO.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the system is not accepting \"rsyslog\" messages from other\nsystems unless it is documented as a log aggregation server.\n\n Check the configuration of \"rsyslog\" with the following command:\n\n # grep imtcp /etc/rsyslog.conf\n $ModLoad imtcp\n # grep imudp /etc/rsyslog.conf\n $ModLoad imudp\n # grep imrelp /etc/rsyslog.conf\n $ModLoad imrelp\n\n If any of the above modules are being loaded in the \"/etc/rsyslog.conf\"\nfile, ask to see the documentation for the system being used for log\naggregation.\n\n If the documentation does not exist, or does not specify the server as a\nlog aggregation system, this is a finding.", + "__new": "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is documented as a log aggregation server.\n\nCheck the configuration of \"rsyslog\" with the following command:\n\n# grep imtcp /etc/rsyslog.conf\n$ModLoad imtcp\n# grep imudp /etc/rsyslog.conf\n$ModLoad imudp\n# grep imrelp /etc/rsyslog.conf\n$ModLoad imrelp\n\nIf any of the above modules are being loaded in the \"/etc/rsyslog.conf\" file, ask to see the documentation for the system being used for log aggregation.\n\nIf the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding." + }, + "fix": { + "__old": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad\nimtcp\", \"ModLoad imudp\", and \"ModLoad imrelp\" configuration lines, or\ndocument the system as being used for log aggregation.", + "__new": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\", \"ModLoad imudp\", and \"ModLoad imrelp\" configuration lines, or document the system as being used for log aggregation." + } } }, "V-72213": { + "describe__deleted": " custom_antivirus = input('custom_antivirus')\n\n if ! custom_antivirus\n describe.one do\n describe service('nails') do\n it { should be_running }\n end\n describe service('clamav-daemon.socket') do\n it { should be_running }\n end\n describe service('ds_agent') do\n it { should be_running }\n end\n end\n else\n # Allow user to provide a description of their AV solution\n # for documentation.\n custom_antivirus_description = input('custom_antivirus_description')\n describe \"Antivirus: #{custom_antivirus_description}\" do\n subject { custom_antivirus_description }\n it { should_not cmp 'None' }\n end\n end", "tags": { - "check_id": "C-72447r3_chk", - "severity": "high", - "gid": "V-72213", - "rid": "SV-86837r3_rule", - "stig_id": "RHEL-07-032000", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78567r2_fix", - "cci": [ - "CCI-001668" - ], - "nist": [ - "SI-3 a" - ] + "check_id__added": "C-72447r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72213" - ], - "title": "The Red Hat Enterprise Linux operating system must use a virus scan program.", - "desc": "[\"Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \\n\\nThe virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.\\n\\nIf the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a virus scan\nprogram.", + "__new": "The Red Hat Enterprise Linux operating system must use a virus scan program." + }, + "desc": { + "__old": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", + "__new": "Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. \n\nThe virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.\n\nIf the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail." + }, "descs": { - "check": "Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.\n\nIf there is no anti-virus solution installed on the system, this is a finding.", - "fix": "Install an antivirus solution on the system." + "default__deleted": "Virus scanning software can be used to protect a system from\npenetration from computer viruses and to limit their spread through\nintermediate systems.\n\n The virus scanning software should be configured to perform scans\ndynamically on accessed files. If this capability is not available, the system\nmust be configured to scan, at a minimum, all altered files on the system on a\ndaily basis.\n\n If the system processes inbound SMTP mail, the virus scanner must be\nconfigured to scan all received mail.", + "rationale__deleted": "", + "check": { + "__old": "Verify an anti-virus solution is installed on the system. The anti-virus\nsolution may be bundled with an approved host-based security solution.\n\n If there is no anti-virus solution installed on the system, this is a\nfinding.", + "__new": "Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.\n\nIf there is no anti-virus solution installed on the system, this is a finding." + } } }, "V-72217": { + "describe__deleted": " maxlogins_limit = input('maxlogins_limit')\n\n # Collect any files under limits.d if they exist\n limits_files = directory('/etc/security/limits.d').exist? ? command('ls /etc/security/limits.d/*.conf').stdout.strip.lines : []\n # Add limits.conf to the list\n limits_files.push('/etc/security/limits.conf')\n compliant_files = []\n noncompliant_files = []\n\n limits_files.each do |limits_file|\n # Get any universal limits from each file\n local_limits = limits_conf(limits_file).*\n # If we got an array (results) check further\n if local_limits.is_a?(Array)\n local_limits.each do |temp_limit|\n # For each result check if it is a 'hard' limit for 'maxlogins'\n if temp_limit.include?('hard') && temp_limit.include?('maxlogins')\n # If the limit is in range, push to compliant files\n if temp_limit[-1].to_i <= maxlogins_limit\n compliant_files.push(limits_file)\n # Otherwise add to noncompliant files\n else\n noncompliant_files.push(limits_file)\n end\n end\n end\n end\n end\n\n # It is required that at least 1 file contain compliant configuration\n describe \"Files configuring maxlogins less than or equal to #{maxlogins_limit}\" do\n subject { compliant_files.length }\n it { should be_positive }\n end\n\n # No files should set 'hard' 'maxlogins' to any noncompliant value\n describe \"Files configuring maxlogins greater than #{maxlogins_limit}\" do\n subject { noncompliant_files }\n it { should cmp [] }\n end", "tags": { - "check_id": "C-72451r3_chk", - "severity": "low", - "gid": "V-72217", - "rid": "SV-86841r3_rule", - "stig_id": "RHEL-07-040000", - "gtitle": "SRG-OS-000027-GPOS-00008", - "fix_id": "F-78571r2_fix", - "cci": [ - "CCI-000054" - ], - "nist": [ - "AC-10" - ] + "check_id__added": "C-72451r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72217" - ], - "title": "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.", - "desc": "[\"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\\n\\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must limit the number of\nconcurrent sessions to 10 for all accounts and/or account types.", + "__new": "The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." + }, + "desc": { + "__old": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", + "__new": "Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system." + }, "descs": { - "check": "Verify the operating system limits the number of concurrent sessions to \"10\" for all accounts and/or account types by issuing the following command:\n\n# grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\n* hard maxlogins 10\n\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nIf the \"maxlogins\" item is missing, commented out, or the value is not set to \"10\" or less for all domains that have the \"maxlogins\" item assigned, this is a finding.", - "fix": "Configure the operating system to limit the number of concurrent sessions to \"10\" for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in /etc/security/limits.d/ :\n\n* hard maxlogins 10" + "default__deleted": "Operating system management includes the ability to control the number\nof users and user sessions that utilize an operating system. Limiting the\nnumber of allowed users and sessions per user is helpful in reducing the risks\nrelated to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased on mission needs and the operational environment for each system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system limits the number of concurrent sessions to\n\"10\" for all accounts and/or account types by issuing the following command:\n\n # grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\n * hard maxlogins 10\n\n This can be set as a global domain (with the * wildcard) but may be set\ndifferently for multiple domains.\n\n If the \"maxlogins\" item is missing, commented out, or the value is not\nset to \"10\" or less for all domains that have the \"maxlogins\" item\nassigned, this is a finding.", + "__new": "Verify the operating system limits the number of concurrent sessions to \"10\" for all accounts and/or account types by issuing the following command:\n\n# grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf\n\n* hard maxlogins 10\n\nThis can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nIf the \"maxlogins\" item is missing, commented out, or the value is not set to \"10\" or less for all domains that have the \"maxlogins\" item assigned, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to limit the number of concurrent sessions\nto \"10\" for all accounts and/or account types.\n\n Add the following line to the top of the /etc/security/limits.conf or in a\n\".conf\" file defined in /etc/security/limits.d/ :\n\n * hard maxlogins 10", + "__new": "Configure the operating system to limit the number of concurrent sessions to \"10\" for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf or in a \".conf\" file defined in /etc/security/limits.d/ :\n\n* hard maxlogins 10" + } } }, "V-72219": { + "describe__deleted": " firewalld_services_deny = input('firewalld_services_deny')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_deny = input('firewalld_ports_deny')\n firewalld_zones = input('firewalld_zones')\n iptables_rules = input('iptables_rules')\n\n if service('firewalld').running?\n\n # Check that the rules specified in 'firewalld_host_deny' are not enabled\n describe firewalld do\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n end\n\n # Check to make sure zones are specified\n if firewalld_zones.empty?\n describe \"Firewalld zones are not specified. Check 'firewalld_zones' input.\" do\n subject { firewalld_zones.empty? }\n it { should be false }\n end\n end\n\n # Check that the services specified in 'firewalld_services_deny' and\n # ports specified in 'firewalld_ports_deny' are not enabled\n firewalld_zones.each do |zone|\n if firewalld.has_zone?(zone)\n zone_services = firewalld_services_deny[zone.to_sym]\n zone_ports = firewalld_ports_deny[zone.to_sym]\n\n if !zone_services.nil?\n describe firewalld do\n zone_services.each do |serv|\n it { should_not have_service_enabled_in_zone(serv,zone) }\n end\n end\n else\n describe \"Services for zone '#{zone}' are not specified. Check 'firewalld_services_deny' input.\" do\n subject { zone_services.nil? }\n it { should be false }\n end\n end\n\n if !zone_ports.nil?\n describe firewalld do\n zone_ports.each do |port|\n it { should_not have_port_enabled_in_zone(port,zone) }\n end\n end\n else\n describe \"Ports for zone '#{zone}' are not specified. Check 'firewalld_ports_deny' input.\" do\n subject { zone_ports.nil? }\n it { should be false }\n end\n end\n else\n describe \"Firewalld zone '#{zone}' exists\" do\n subject { firewalld.has_zone?(zone) }\n it { should be true }\n end\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptables_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe \"No application firewall is installed\" do\n subject { service('firewalld').running? || service('iptables').running? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72453r1_chk", - "severity": "medium", - "gid": "V-72219", - "rid": "SV-86843r2_rule", - "stig_id": "RHEL-07-040100", - "gtitle": "SRG-OS-000096-GPOS-00050", - "fix_id": "F-78573r1_fix", - "cci": [ - "CCI-000382", - "CCI-002314" - ], - "nist": [ - "CM-7 b", - "AC-17 (1)" - ] + "check_id__added": "C-72453r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72219" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.", - "desc": "[\"In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\\n\\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\\n\\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\\n\\nSatisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\nprohibit or restrict the use of functions, ports, protocols, and/or services,\nas defined in the Ports, Protocols, and Services Management Component Local\nService Assessment (PPSM CLSA) and vulnerability assessments.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." + }, + "desc": { + "__old": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", + "__new": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\n" + }, "descs": { - "check": "Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n\nCheck which services are currently active with the following command:\n\n# firewall-cmd --list-all\npublic (default, active)\n interfaces: enp0s3\n sources: \n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports: \n masquerade: no\n forward-ports: \n icmp-blocks: \n rich rules: \n\nAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.", - "fix": "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL." + "default__deleted": "In order to prevent unauthorized connection of devices, unauthorized\ntransfer of information, or unauthorized tunneling (i.e., embedding of data\ntypes within data types), organizations must disable or restrict unused or\nunnecessary physical and logical ports/protocols on information systems.\n\n Operating systems are capable of providing a wide variety of functions and\nservices. Some of the functions and services provided by default may not be\nnecessary to support essential organizational operations. Additionally, it is\nsometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the\nservices provided by any one component.\n\n To support the requirements and principles of least functionality, the\noperating system must support the organizational requirements, providing only\nessential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official\nbusiness or to address authorized quality of life issues.", + "rationale__deleted": "", + "check": { + "__old": "Inspect the firewall configuration and running services to verify that it\nis configured to prohibit or restrict the use of functions, ports, protocols,\nand/or services that are unnecessary or prohibited.\n\n Check which services are currently active with the following command:\n\n # firewall-cmd --list-all\n public (default, active)\n interfaces: enp0s3\n sources:\n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports:\n masquerade: no\n forward-ports:\n icmp-blocks:\n rich rules:\n\n Ask the System Administrator for the site or program PPSM CLSA. Verify the\nservices allowed by the firewall match the PPSM CLSA.\n\n If there are additional ports, protocols, or services that are not in the\nPPSM CLSA, or there are ports, protocols, or services that are prohibited by\nthe PPSM Category Assurance List (CAL), this is a finding.", + "__new": "Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.\n\nCheck which services are currently active with the following command:\n\n# firewall-cmd --list-all\npublic (default, active)\n interfaces: enp0s3\n sources: \n services: dhcpv6-client dns http https ldaps rpc-bind ssh\n ports: \n masquerade: no\n forward-ports: \n icmp-blocks: \n rich rules: \n\nAsk the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. \n\nIf there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding." + }, + "fix": { + "__old": "Update the host's firewall settings and/or running services to\ncomply with the PPSM CLSA for the site or program and the PPSM CAL.", + "__new": "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL." + } } }, "V-72221": { + "describe__deleted": " @ciphers_array = inspec.sshd_config.params['ciphers']\n\n unless @ciphers_array.nil?\n @ciphers_array = @ciphers_array.first.split(\",\")\n end\n\n describe @ciphers_array do\n it { should be_in ['aes128-ctr', 'aes192-ctr', 'aes256-ctr'] }\n end", "tags": { - "check_id": "C-72455r4_chk", - "severity": "medium", - "gid": "V-72221", - "rid": "SV-86845r3_rule", - "stig_id": "RHEL-07-040110", - "gtitle": "SRG-OS-000033-GPOS-00014", - "fix_id": "F-78575r3_fix", - "cci": [ - "CCI-000068", - "CCI-000366", - "CCI-000803" - ], - "nist": [ - "AC-17 (2)", - "CM-6 b", - "IA-7" - ] + "check_id__added": "C-72455r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72221" - ], - "title": "The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.", - "desc": "[\"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\\n\\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\\n\\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\\n\\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173false\"]", - "impact": 0.5, - "descs": { - "check": "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"Ciphers\" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are listed, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.", - "fix": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect." - } - }, - "V-72223": { - "tags": { - "check_id": "C-72457r4_chk", - "severity": "medium", - "gid": "V-72223", - "rid": "SV-86847r4_rule", - "stig_id": "RHEL-07-040160", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78577r5_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a FIPS 140-2\napproved cryptographic algorithm for SSH communications.", + "__new": "The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications." + }, + "desc": { + "__old": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Operating systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", + "__new": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\n\n" }, - "refs": [ - [ - "DPMS Target Red Hat 7" - ] - ], - "id": [ - "V-72223" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.", - "desc": "[\"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n# grep -i tmout /etc/profile.d/*\n\netc/profile.d/tmout.sh:TMOUT=600\n\n/etc/profile.d/tmout.sh:readonly TMOUT\n\n/etc/profile.d/tmout.sh:export TMOUT\n\nIf \"TMOUT\" is not set to \"600\" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.", - "fix": "Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.\n\nCreate a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n\n#!/bin/bash\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT" + "default__deleted": "Unapproved mechanisms that are used for authentication to the\ncryptographic module are not verified and therefore cannot be relied upon to\nprovide confidentiality or integrity, and DoD data may be compromised.\n\n Operating systems utilizing encryption are required to use FIPS-compliant\nmechanisms for authenticating to cryptographic modules.\n\n FIPS 140-2 is the current standard for validating that mechanisms used to\naccess cryptographic modules utilize authentication that meets DoD\nrequirements. This allows for Security Levels 1, 2, 3, or 4 for use on a\ngeneral purpose computing system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system uses mechanisms meeting the requirements of\napplicable federal laws, Executive orders, directives, policies, regulations,\nstandards, and guidance for authentication to a cryptographic module.\n\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as\nthe system cannot implement FIPS 140-2-approved cryptographic algorithms and\nhashes.\n\n The location of the \"sshd_config\" file may vary if a different daemon is\nin use.\n\n Inspect the \"Ciphers\" configuration with the following command:\n\n # grep -i ciphers /etc/ssh/sshd_config\n Ciphers aes128-ctr,aes192-ctr,aes256-ctr\n\n If any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\"\nare listed, the \"Ciphers\" keyword is missing, or the returned line is\ncommented out, this is a finding.", + "__new": "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"Ciphers\" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are listed, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\n Add the following line (or modify the line to have the required value) to\nthe \"/etc/ssh/sshd_config\" file (this file may be named differently or be in\na different location if using a version of SSH that is provided by a\nthird-party vendor).\n\n Ciphers aes128-ctr,aes192-ctr,aes256-ctr\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect." + } } }, - "V-72225": { - "tags": { - "check_id": "C-72459r3_chk", - "severity": "medium", - "gid": "V-72225", - "rid": "SV-86849r5_rule", - "stig_id": "RHEL-07-040170", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-78579r5_fix", - "cci": [ - "CCI-000048", - "CCI-000050", - "CCI-001384", - "CCI-001385", - "CCI-001386", - "CCI-001387", - "CCI-001388" - ], - "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 2", - "AC-8 c 3" - ] + "V-72223": { + "describe__deleted": " system_activity_timeout = input('system_activity_timeout')\n\n # Get current TMOUT environment variable (active test)\n describe 'Environment variable TMOUT' do\n subject { os_env('TMOUT').content.to_i }\n it { should be <= system_activity_timeout }\n end\n\n # Check if TMOUT is set in files (passive test)\n files = ['/etc/bashrc'] + ['/etc/profile'] + command(\"find /etc/profile.d/*\").stdout.split(\"\\n\")\n latest_val = nil\n\n files.each do |file|\n readonly = false\n\n # Skip to next file if TMOUT isn't present. Otherwise, get the last occurrence of TMOUT\n next if (values = command(\"grep -Po '.*TMOUT.*' #{file}\").stdout.split(\"\\n\")).empty?\n\n # Loop through each TMOUT match and see if set TMOUT's value or makes it readonly\n values.each_with_index { |value, index|\n\n # Skip if starts with '#' - it represents a comment\n next if !value.match(/^#/).nil?\n # If readonly and value is inline - use that value\n if !value.match(/^readonly[\\s]+TMOUT[\\s]*=[\\s]*[\\d]+$/).nil?\n latest_val = value.match(/[\\d]+/)[0].to_i\n readonly = true\n break\n # If readonly, but, value is not inline - use the most recent value\n elsif !value.match(/^readonly[\\s]+([\\w]+[\\s]+)?TMOUT[\\s]*([\\s]+[\\w]+[\\s]*)*$/).nil?\n # If the index is greater than 0, the configuraiton setting value.\n # Otherwise, the configuration setting value is in the previous file\n # and is already set in latest_val.\n if index >= 1\n latest_val = values[index - 1].match(/[\\d]+/)[0].to_i\n end\n readonly = true\n break\n # Readonly is not set use the lastest value\n else\n latest_val = value.match(/[\\d]+/)[0].to_i\n end\n }\n # Readonly is set - stop processing files\n break if readonly === true\n end\n\n if latest_val.nil?\n describe \"The TMOUT setting is configured\" do\n subject { !latest_val.nil? }\n it { should be true }\n end\n else\n describe\"The TMOUT setting is configured properly\" do\n subject { latest_val }\n it { should be <= system_activity_timeout }\n end\n end", + "tags": { + "check_id__added": "C-72457r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72225" - ], - "title": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all network connections associated with a communication session are\nterminated at the end of the session or after 10 minutes of inactivity from the\nuser at a command prompt, except to fulfill documented and validated mission\nrequirements.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." + }, + "desc": { + "__old": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "__new": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session." + }, "descs": { - "check": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", - "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Terminating an idle session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle session will also free up\nresources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system terminates all network connections associated\nwith a communications session at the end of the session or based on inactivity.\n\n Check the value of the system inactivity timeout with the following command:\n\n # grep -i tmout /etc/profile.d/*\n\n etc/profile.d/tmout.sh:TMOUT=600\n\n /etc/profile.d/tmout.sh:readonly TMOUT\n\n /etc/profile.d/tmout.sh:export TMOUT\n\n If \"TMOUT\" is not set to \"600\" or less in a script located in the\n/etc/profile.d/ directory to enforce session termination after inactivity, this\nis a finding.", + "__new": "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.\n\nCheck the value of the system inactivity timeout with the following command:\n\n# grep -i tmout /etc/profile.d/*\n\netc/profile.d/tmout.sh:TMOUT=600\n\n/etc/profile.d/tmout.sh:readonly TMOUT\n\n/etc/profile.d/tmout.sh:export TMOUT\n\nIf \"TMOUT\" is not set to \"600\" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to terminate all network connections\nassociated with a communications session at the end of the session or after a\nperiod of inactivity.\n\n Create a script to enforce the inactivity timeout (for example\n/etc/profile.d/tmout.sh) such as:\n\n #!/bin/bash\n\n TMOUT=600\n readonly TMOUT\n export TMOUT", + "__new": "Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.\n\nCreate a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:\n\n#!/bin/bash\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT" + } + } + }, + "V-72225": { + "describe__deleted": " banner_message_text_ral = input('banner_message_text_ral')\n banner_message_text_ral_limited = input('banner_message_text_ral_limited')\n\n #When Banner is commented, not found, disabled, or the specified file does not exist, this is a finding.\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n\n #Banner property is commented out.\n describe \"The SSHD Banner is not set\" do\n subject { banner_file.nil? }\n it { should be false }\n end if banner_file.nil?\n\n #Banner property is set to \"none\"\n describe \"The SSHD Banner is disabled\" do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end if !banner_file.nil? && !banner_file.match(/none/i).nil?\n\n #Banner property provides a path to a file, however, it does not exist.\n describe \"The SSHD Banner is set, but, the file does not exist\" do\n subject { file(banner_file).exist? }\n it { should be true }\n end if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n\n #Banner property provides a path to a file and it exists.\n describe.one do\n banner = file(banner_file).content.gsub(%r{[\\r\\n\\s]}, '')\n clean_banner = banner_message_text_ral.gsub(%r{[\\r\\n\\s]}, '')\n clean_banner_limited = banner_message_text_ral_limited.gsub(%r{[\\r\\n\\s]}, '')\n\n describe \"The SSHD Banner is set to the standard banner and has the correct text\" do\n subject { banner }\n it { should cmp clean_banner }\n end\n\n describe \"The SSHD Banner is set to the standard limited banner and has the correct text\" do\n subject { banner }\n it { should cmp clean_banner_limited }\n end\n end if !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n end", + "tags": { + "check_id__added": "C-72459r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-86849r4_rule", + "__new": "SV-86849r5_rule" + }, + "fix_id": { + "__old": "F-78579r4_fix", + "__new": "F-78579r5_fix" + }, + "nist": [ + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "-", + "AC-8 c\n2" + ], + [ + "+", + "AC-8 c 2" + ], + [ + " " + ] + ] + }, + "refs": [ + [ + "+", + "DPMS Target Red Hat 7" + ] + ], + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the\nStandard Mandatory DoD Notice and Consent Banner immediately prior to, or as\npart of, remote access logon prompts.", + "__new": "The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts." + }, + "desc": { + "__old": "Display of a standardized and approved use notification before\ngranting access to the publicly accessible operating system ensures privacy and\nsecurity notification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "__new": "Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n" + }, + "descs": { + "default__deleted": "Display of a standardized and approved use notification before\ngranting access to the publicly accessible operating system ensures privacy and\nsecurity notification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"", + "rationale__deleted": "", + "check": { + "__old": "Verify any publicly accessible connection to the operating system displays\nthe Standard Mandatory DoD Notice and Consent Banner before granting access to\nthe system.\n\n Check for the location of the banner file being used with the following\ncommand:\n\n # grep -i banner /etc/ssh/sshd_config\n\n banner /etc/issue\n\n This command will return the banner keyword and the name of the file that\ncontains the ssh banner (in this case \"/etc/issue\").\n\n If the line is commented out, this is a finding.\n\n View the file specified by the banner keyword to check that it matches the\ntext of the Standard Mandatory DoD Notice and Consent Banner:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n If the system does not display a graphical logon banner or the banner does\nnot match the Standard Mandatory DoD Notice and Consent Banner, this is a\nfinding.\n\n If the text in the file does not match the Standard Mandatory DoD Notice\nand Consent Banner, this is a finding.", + "__new": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n# grep -i banner /etc/ssh/sshd_config\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to display the Standard Mandatory DoD Notice\nand Consent Banner before granting access to the system via the ssh.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and\nconfigure it to point to a file that will contain the logon banner (this file\nmay be named differently or be in a different location if using a version of\nSSH that is provided by a third-party vendor). An example configuration line is:\n\n banner /etc/issue\n\n Either create the file containing the banner or replace the text in the\nfile with the Standard Mandatory DoD Notice and Consent Banner. The DoD\nrequired text is:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72227": { + "describe__deleted": " sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = (!command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?)\n\n if !(sssd_id_ldap_enabled or pam_ldap_enabled)\n impact 0.0\n describe \"LDAP not enabled\" do\n skip \"LDAP not enabled using any known mechanisms, this control is Not Applicable.\"\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n end\n end\n\n if pam_ldap_enabled\n describe command('grep -i ssl /etc/pam_ldap.conf') do\n its('stdout.strip') { should match %r{^ssl start_tls$}}\n end\n end", "tags": { - "check_id": "C-72461r3_chk", - "severity": "medium", - "gid": "V-72227", - "rid": "SV-86851r4_rule", - "stig_id": "RHEL-07-040180", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78581r2_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72461r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72227" - ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement\ncryptography to protect the integrity of Lightweight Directory Access Protocol\n(LDAP) authentication communications.", + "__new": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." + }, + "desc": { + "__old": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "__new": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nEnsure that LDAP is configured to use TLS by using the following command:\n\n# grep -i \"start_tls\" /etc/sssd/sssd.conf\nldap_id_use_start_tls = true\n\nIf the \"ldap_id_use_start_tls\" option is not \"true\", this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_id_use_start_tls = true" + "default__deleted": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "rationale__deleted": "", + "check": { + "__old": "If LDAP is not being utilized, this requirement is Not Applicable.\n\n Verify the operating system implements cryptography to protect the\nintegrity of remote LDAP authentication sessions.\n\n To determine if LDAP is being used for authentication, use the following\ncommand:\n\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor\npreset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n\n Determine the \"id_provider\" the LDAP is currently using:\n\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n\n id_provider = ad\n\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n\n Ensure that LDAP is configured to use TLS by using the following command:\n\n # grep -i \"start_tls\" /etc/sssd/sssd.conf\n ldap_id_use_start_tls = true\n\n If the \"ldap_id_use_start_tls\" option is not \"true\", this is a finding.", + "__new": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nEnsure that LDAP is configured to use TLS by using the following command:\n\n# grep -i \"start_tls\" /etc/sssd/sssd.conf\nldap_id_use_start_tls = true\n\nIf the \"ldap_id_use_start_tls\" option is not \"true\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement cryptography to protect the\nintegrity of LDAP authentication sessions.\n\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n\n ldap_id_use_start_tls = true", + "__new": "Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_id_use_start_tls = true" + } } }, "V-72229": { + "describe__deleted": " sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = (!command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?)\n\n if !(sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled)\n impact 0.0\n describe \"LDAP not enabled\" do\n skip \"LDAP not enabled using any known mechanisms, this control is Not Applicable.\"\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacertdir = command('grep -i ldap_tls_cacertdir /etc/sssd/sssd.conf').\n stdout.strip.scan(%r{^ldap_tls_cacertdir\\s*=\\s*(.*)}).last\n\n describe \"ldap_tls_cacertdir\" do\n subject { ldap_tls_cacertdir }\n it { should_not eq nil }\n end\n\n describe file(ldap_tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end if !ldap_tls_cacertdir.nil?\n end\n\n if pam_ldap_enabled\n tls_cacertdir = command('grep -i tls_cacertdir /etc/pam_ldap.conf').\n stdout.strip.scan(%r{^tls_cacertdir\\s+(.*)}).last\n\n describe \"tls_cacertdir\" do\n subject { tls_cacertdir }\n it { should_not eq nil }\n end\n\n describe file(tls_cacertdir.last) do\n it { should exist }\n it { should be_directory }\n end if !tls_cacertdir.nil?\n end", "tags": { - "check_id": "C-72463r6_chk", - "severity": "medium", - "gid": "V-72229", - "rid": "SV-86853r4_rule", - "stig_id": "RHEL-07-040190", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78583r4_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72463r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72229" - ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement\ncryptography to protect the integrity of Lightweight Directory Access Protocol\n(LDAP) communications.", + "__new": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." + }, + "desc": { + "__old": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "__new": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nVerify the sssd service is configured to require the use of certificates:\n\n# grep -i tls_reqcert /etc/sssd/sssd.conf\nldap_tls_reqcert = demand\n\nIf the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n\nIf the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_reqcert = demand" + "default__deleted": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "rationale__deleted": "", + "check": { + "__old": "If LDAP is not being utilized, this requirement is Not Applicable.\n\n Verify the operating system implements cryptography to protect the\nintegrity of remote LDAP access sessions.\n\n To determine if LDAP is being used for authentication, use the following\ncommand:\n\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor\npreset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n\n Determine the \"id_provider\" the LDAP is currently using:\n\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n\n id_provider = ad\n\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n\n Verify the sssd service is configured to require the use of certificates:\n\n # grep -i tls_reqcert /etc/sssd/sssd.conf\n ldap_tls_reqcert = demand\n\n If the \"ldap_tls_reqcert\" setting is missing, commented out, or does not\nexist, this is a finding.\n\n If the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\",\nthis is a finding.", + "__new": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used. \n\nDetermine the \"id_provider\" the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nVerify the sssd service is configured to require the use of certificates:\n\n# grep -i tls_reqcert /etc/sssd/sssd.conf\nldap_tls_reqcert = demand\n\nIf the \"ldap_tls_reqcert\" setting is missing, commented out, or does not exist, this is a finding.\n\nIf the \"ldap_tls_reqcert\" setting is not set to \"demand\" or \"hard\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement cryptography to protect the\nintegrity of LDAP remote access sessions.\n\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n\n ldap_tls_reqcert = demand", + "__new": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_reqcert = demand" + } } }, "V-72231": { + "describe__deleted": " sssd_id_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*id_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n sssd_ldap_enabled = (package('sssd').installed? and\n !command('grep \"^\\s*[a-z]*_provider\\s*=\\s*ldap\" /etc/sssd/sssd.conf').stdout.strip.empty?)\n\n pam_ldap_enabled = (!command('grep \"^[^#]*pam_ldap\\.so\" /etc/pam.d/*').stdout.strip.empty?)\n\n if !(sssd_id_ldap_enabled or sssd_ldap_enabled or pam_ldap_enabled)\n impact 0.0\n describe \"LDAP not enabled\" do\n skip \"LDAP not enabled using any known mechanisms, this control is Not Applicable.\"\n end\n end\n\n if sssd_id_ldap_enabled\n ldap_id_use_start_tls = command('grep ldap_id_use_start_tls /etc/sssd/sssd.conf')\n describe ldap_id_use_start_tls do\n its('stdout.strip') { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n\n ldap_id_use_start_tls.stdout.strip.each_line do |line|\n describe line do\n it { should match %r{^ldap_id_use_start_tls\\s*=\\s*true$}}\n end\n end\n end\n\n if sssd_ldap_enabled\n ldap_tls_cacert = command('grep -i ldap_tls_cacert /etc/sssd/sssd.conf').\n stdout.strip.scan(%r{^ldap_tls_cacert\\s*=\\s*(.*)}).last\n\n describe \"ldap_tls_cacert\" do\n subject { ldap_tls_cacert }\n it { should_not eq nil }\n end\n\n describe file(ldap_tls_cacert.last) do\n it { should exist }\n it { should be_file }\n end if !ldap_tls_cacert.nil?\n end\n\n if pam_ldap_enabled\n tls_cacertfile = command('grep -i tls_cacertfile /etc/pam_ldap.conf').\n stdout.strip.scan(%r{^tls_cacertfile\\s+(.*)}).last\n\n describe \"tls_cacertfile\" do\n subject { tls_cacertfile }\n it { should_not eq nil }\n end\n\n describe file(tls_cacertfile.last) do\n it { should exist }\n it { should be_file }\n end if !tls_cacertfile.nil?\n end", "tags": { - "check_id": "C-72465r4_chk", - "severity": "medium", - "gid": "V-72231", - "rid": "SV-86855r4_rule", - "stig_id": "RHEL-07-040200", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78585r3_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72465r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72231" - ], - "title": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement\ncryptography to protect the integrity of Lightweight Directory Access Protocol\n(LDAP) communications.", + "__new": "The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." + }, + "desc": { + "__old": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "__new": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used.\n\nDetermine the \"id_provider\" that the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nCheck the path to the X.509 certificate for peer authentication with the following command:\n\n# grep -i tls_cacert /etc/sssd/sssd.conf\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n\nVerify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n\nIf this file does not exist, or the option is commented out or missing, this is a finding.", - "fix": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" + "default__deleted": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection.\n\n Cryptographic mechanisms used for protecting the integrity of information\ninclude, for example, signed hash functions using asymmetric cryptography\nenabling distribution of the public key to verify the hash information while\nmaintaining the confidentiality of the key used to generate the hash.", + "rationale__deleted": "", + "check": { + "__old": "If LDAP is not being utilized, this requirement is Not Applicable.\n\n Verify the operating system implements cryptography to protect the\nintegrity of remote LDAP access sessions.\n\n To determine if LDAP is being used for authentication, use the following\ncommand:\n\n # systemctl status sssd.service\n sssd.service - System Security Services Daemon\n Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor\npreset: disabled)\n Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\n If the \"sssd.service\" is \"active\", then LDAP is being used.\n\n Determine the \"id_provider\" that the LDAP is currently using:\n\n # grep -i \"id_provider\" /etc/sssd/sssd.conf\n\n id_provider = ad\n\n If \"id_provider\" is set to \"ad\", this is Not Applicable.\n\n Check the path to the X.509 certificate for peer authentication with the\nfollowing command:\n\n # grep -i tls_cacert /etc/sssd/sssd.conf\n\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n\n Verify the \"ldap_tls_cacert\" option points to a file that contains the\ntrusted CA certificate.\n\n If this file does not exist, or the option is commented out or missing,\nthis is a finding.", + "__new": "If LDAP is not being utilized, this requirement is Not Applicable.\n\nVerify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.\n\nTo determine if LDAP is being used for authentication, use the following command:\n\n# systemctl status sssd.service\nsssd.service - System Security Services Daemon\nLoaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)\nActive: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago\n\nIf the \"sssd.service\" is \"active\", then LDAP is being used.\n\nDetermine the \"id_provider\" that the LDAP is currently using:\n\n# grep -i \"id_provider\" /etc/sssd/sssd.conf\n\nid_provider = ad\n\nIf \"id_provider\" is set to \"ad\", this is Not Applicable.\n\nCheck the path to the X.509 certificate for peer authentication with the following command:\n\n# grep -i tls_cacert /etc/sssd/sssd.conf\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt\n\nVerify the \"ldap_tls_cacert\" option points to a file that contains the trusted CA certificate.\n\nIf this file does not exist, or the option is commented out or missing, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement cryptography to protect the\nintegrity of LDAP remote access sessions.\n\n Add or modify the following line in \"/etc/sssd/sssd.conf\":\n\n ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt", + "__new": "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.\n\nAdd or modify the following line in \"/etc/sssd/sssd.conf\":\n\nldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" + } } }, "V-72233": { + "describe__deleted": " describe package('openssh-server') do\n it { should be_installed }\n end\n describe package('openssh-clients') do\n it { should be_installed }\n end", "tags": { - "check_id": "C-72467r3_chk", - "severity": "medium", - "gid": "V-72233", - "rid": "SV-86857r3_rule", - "stig_id": "RHEL-07-040300", - "gtitle": "SRG-OS-000423-GPOS-00187", - "fix_id": "F-78587r3_fix", - "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" - ], - "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" - ] + "check_id__added": "C-72467r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72233" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all networked systems have SSH installed.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed." + }, + "desc": { + "__old": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", + "__new": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n" + }, "descs": { - "check": "Check to see if sshd is installed with the following command:\n\n# yum list installed \\*ssh\\*\nlibssh2.x86_64 1.4.3-8.el7 @anaconda/7.1\nopenssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1\nopenssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1\n\nIf the \"SSH server\" package is not installed, this is a finding.", - "fix": "Install SSH packages onto the host with the following commands:\n\n# yum install openssh-server.x86_64" + "default__deleted": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, logical means (cryptography) do not\nhave to be employed, and vice versa.", + "rationale__deleted": "" } }, "V-72235": { + "describe__deleted": " describe systemd_service('sshd.service') do\n it { should be_running }\n end", "tags": { - "check_id": "C-72469r3_chk", - "severity": "medium", - "gid": "V-72235", - "rid": "SV-86859r3_rule", - "stig_id": "RHEL-07-040310", - "gtitle": "SRG-OS-000423-GPOS-00187", - "fix_id": "F-78589r2_fix", - "cci": [ - "CCI-002418", - "CCI-002420", - "CCI-002421", - "CCI-002422" - ], - "nist": [ - "SC-8", - "SC-8 (2)", - "SC-8 (1)", - "SC-8 (2)" - ] + "check_id__added": "C-72469r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72235" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all networked systems use SSH for confidentiality and integrity of\ntransmitted and received information as well as information during preparation\nfor transmission.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." + }, + "desc": { + "__old": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "__new": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\n" + }, "descs": { - "check": "Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.", - "fix": "Configure the SSH service to automatically start after reboot with the following command:\n\n# systemctl enable sshd.service" + "default__deleted": "Without protection of the transmitted information, confidentiality and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.\n\n This requirement applies to both internal and external networks and all\ntypes of information system components from which information can be\ntransmitted (e.g., servers, mobile devices, notebook computers, printers,\ncopiers, scanners, and facsimile machines). Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of\ninterception and modification.\n\n Protecting the confidentiality and integrity of organizational information\ncan be accomplished by physical means (e.g., employing physical distribution\nsystems) or by logical means (e.g., employing cryptographic techniques). If\nphysical means of protection are employed, then logical means (cryptography) do\nnot have to be employed, and vice versa.", + "rationale__deleted": "", + "check": { + "__old": "Verify SSH is loaded and active with the following command:\n\n # systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days\nago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n 1053 /usr/sbin/sshd -D\n\n If \"sshd\" does not show a status of \"active\" and \"running\", this is a\nfinding.", + "__new": "Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding." + }, + "fix": { + "__old": "Configure the SSH service to automatically start after reboot with the\nfollowing command:\n\n # systemctl enable sshd.service", + "__new": "Configure the SSH service to automatically start after reboot with the following command:\n\n# systemctl enable sshd.service" + } } }, "V-72237": { + "describe__deleted": " client_alive_interval = input('client_alive_interval')\n\n #This may show slightly confusing results when a ClientAliveInterValue is not\n #specified. Specifically, because the value will be nil and when you try to\n #convert it to an integer using to_i it will convert it to 0 and pass the\n #<= client_alive_interval check. However, the control as a whole will still fail.\n describe sshd_config do\n its(\"ClientAliveInterval.to_i\"){should cmp >= 1}\n its(\"ClientAliveInterval.to_i\"){should cmp <= client_alive_interval}\n its(\"ClientAliveInterval\"){should_not eq nil}\n end", "tags": { - "check_id": "C-72471r2_chk", - "severity": "medium", - "gid": "V-72237", - "rid": "SV-86861r4_rule", - "stig_id": "RHEL-07-040320", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78591r2_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "check_id__added": "C-72471r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72237" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all network connections associated with SSH traffic are terminated at the\nend of the session or after 10 minutes of inactivity, except to fulfill\ndocumented and validated mission requirements.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." + }, + "desc": { + "__old": "Terminating an idle SSH session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle SSH session will also free\nup resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "__new": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\n" + }, "descs": { - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveInterval\" keyword with the following command:\n\n# grep -iw clientaliveinterval /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding.\n\nIf \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Terminating an idle SSH session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle SSH session will also free\nup resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system automatically terminates a user session after\ninactivity time-outs have expired.\n\n Check for the value of the \"ClientAliveInterval\" keyword with the\nfollowing command:\n\n # grep -iw clientaliveinterval /etc/ssh/sshd_config\n\n ClientAliveInterval 600\n\n If \"ClientAliveInterval\" is not configured, commented out, or has a value\nof \"0\", this is a finding.\n\n If \"ClientAliveInterval\" has a value that is greater than \"600\" and is\nnot documented with the Information System Security Officer (ISSO) as an\noperational requirement, this is a finding.", + "__new": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveInterval\" keyword with the following command:\n\n# grep -iw clientaliveinterval /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" is not configured, commented out, or has a value of \"0\", this is a finding.\n\nIf \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to automatically terminate a user session\nafter inactivity time-outs have expired or at shutdown.\n\n Add the following line (or modify the line to have the required value) to\nthe \"/etc/ssh/sshd_config\" file (this file may be named differently or be in\na different location if using a version of SSH that is provided by a\nthird-party vendor):\n\n ClientAliveInterval 600\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72239": { + "describe__deleted": " describe sshd_config do\n its('RhostsRSAAuthentication') { should cmp 'no' }\n end", "tags": { - "check_id": "C-72473r5_chk", - "severity": "medium", - "gid": "V-72239", - "rid": "SV-86863r4_rule", - "stig_id": "RHEL-07-040330", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78593r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72473r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72239" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not allow authentication using RSA rhosts\nauthentication.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication." + }, + "desc": { + "__old": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "__new": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere." + }, "descs": { - "check": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\nRhostsRSAAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nRhostsRSAAuthentication no\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "rationale__deleted": "", + "check": { + "__old": "Check the version of the operating system with the following command:\n\n # cat /etc/redhat-release\n\n If the release is 7.4 or newer this requirement is Not Applicable.\n\n Verify the SSH daemon does not allow authentication using RSA rhosts\nauthentication.\n\n To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is\nset, run the following command:\n\n # grep RhostsRSAAuthentication /etc/ssh/sshd_config\n RhostsRSAAuthentication no\n\n If the value is returned as \"yes\", the returned line is commented out, or\nno output is returned, this is a finding.", + "__new": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\nRhostsRSAAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding." + }, + "fix": { + "__old": "Configure the SSH daemon to not allow authentication using RSA rhosts\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"no\":\n\n RhostsRSAAuthentication no\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nRhostsRSAAuthentication no\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72241": { + "describe__deleted": " if os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip \"The release is newer than 7.4; this control is Not Applicable.\"\n end\n else\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp '0' }\n end\n end", "tags": { - "check_id": "C-72475r4_chk", - "severity": "medium", - "gid": "V-72241", - "rid": "SV-86865r4_rule", - "stig_id": "RHEL-07-040340", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-78595r4_fix", - "cci": [ - "CCI-001133", - "CCI-002361" - ], - "nist": [ - "SC-10", - "AC-12" - ] + "check_id__added": "C-72475r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72241" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all network connections associated with SSH traffic terminate after a\nperiod of inactivity.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity." + }, + "desc": { + "__old": "Terminating an idle SSH session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle SSH session will also free\nup resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "__new": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\n" + }, "descs": { - "check": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveCountMax\" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf \"ClientAliveCountMax\" is not set to \"0\", this is a finding.", - "fix": "Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Terminating an idle SSH session within a short time period reduces the\nwindow of opportunity for unauthorized personnel to take control of a\nmanagement session enabled on the console or console port that has been left\nunattended. In addition, quickly terminating an idle SSH session will also free\nup resources committed by the managed network element.\n\n Terminating network connections associated with communications sessions\nincludes, for example, de-allocating associated TCP/IP address/port pairs at\nthe operating system level and de-allocating networking assignments at the\napplication level if multiple application sessions are using a single operating\nsystem-level network connection. This does not mean that the operating system\nterminates all sessions or network access; it only ends the inactive session\nand releases the resources associated with that session.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system automatically terminates a user session after\ninactivity time-outs have expired.\n\n Check for the value of the \"ClientAliveCountMax\" keyword with the\nfollowing command:\n\n # grep -i clientalivecount /etc/ssh/sshd_config\n ClientAliveCountMax 0\n\n If \"ClientAliveCountMax\" is not set to \"0\", this is a finding.", + "__new": "Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the \"ClientAliveCountMax\" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf \"ClientAliveCountMax\" is not set to \"0\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to terminate automatically a user session\nafter inactivity time-outs have expired or at shutdown.\n\n Add the following line (or modify the line to have the required value) to\nthe \"/etc/ssh/sshd_config\" file (this file may be named differently or be in\na different location if using a version of SSH that is provided by a\nthird-party vendor):\n\n ClientAliveCountMax 0\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72243": { + "describe__deleted": " describe sshd_config do\n its('IgnoreRhosts') { should cmp 'yes' }\n end", "tags": { - "check_id": "C-72477r1_chk", - "severity": "medium", - "gid": "V-72243", - "rid": "SV-86867r3_rule", - "stig_id": "RHEL-07-040350", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78597r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72477r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72243" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not allow authentication using rhosts authentication.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication." + }, + "desc": { + "__old": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "__new": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere." + }, "descs": { - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreRhosts yes" + "default__deleted": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon does not allow authentication using known hosts\nauthentication.\n\n To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the\nfollowing command:\n\n # grep -i IgnoreRhosts /etc/ssh/sshd_config\n\n IgnoreRhosts yes\n\n If the value is returned as \"no\", the returned line is commented out, or\nno output is returned, this is a finding.", + "__new": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding." + }, + "fix": { + "__old": "Configure the SSH daemon to not allow authentication using known hosts\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreRhosts yes", + "__new": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreRhosts yes" + } } }, "V-72245": { + "describe__deleted": " if sshd_config.params['printlastlog'] == ['yes']\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n else\n describe pam('/etc/pam.d/sshd') do\n its('lines') { should match_pam_rule('session required pam_lastlog.so showfailed') }\n its('lines') { should match_pam_rule('session required pam_lastlog.so showfailed').all_without_args('silent') }\n end\n end", "tags": { - "check_id": "C-72479r1_chk", - "severity": "medium", - "gid": "V-72245", - "rid": "SV-86869r3_rule", - "stig_id": "RHEL-07-040360", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78599r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72479r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72245" - ], - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.", - "desc": "[\"Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the date\nand time of the last successful account logon upon an SSH logon.", + "__new": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon." + }, + "desc": { + "__old": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "__new": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use." + }, "descs": { - "check": "Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nModify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to \"sshd_config\" to take effect." + "default__deleted": "Providing users with feedback on when account accesses via SSH last\noccurred facilitates user recognition and reporting of unauthorized account\nuse.", + "rationale__deleted": "", + "check": { + "__old": "Verify SSH provides users with feedback on when account accesses last\noccurred.\n\n Check that \"PrintLastLog\" keyword in the sshd daemon configuration file\nis used and set to \"yes\" with the following command:\n\n # grep -i printlastlog /etc/ssh/sshd_config\n PrintLastLog yes\n\n If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is\ncommented out, this is a finding.", + "__new": "Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure SSH to provide users with feedback on when account accesses last\noccurred by setting the required configuration options in \"/etc/pam.d/sshd\"\nor in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\"\nwill be used in the example) (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor).\n\n Modify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the\nfollowing:\n\n PrintLastLog yes\n\n The SSH service must be restarted for changes to \"sshd_config\" to take\neffect.", + "__new": "Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nModify the \"PrintLastLog\" line in \"/etc/ssh/sshd_config\" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to \"sshd_config\" to take effect." + } } }, "V-72247": { + "describe__deleted": " describe sshd_config do\n its('PermitRootLogin') { should cmp 'no' }\n end", "tags": { - "check_id": "C-72481r1_chk", - "severity": "medium", - "gid": "V-72247", - "rid": "SV-86871r3_rule", - "stig_id": "RHEL-07-040370", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78601r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72481r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72247" - ], - "title": "The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.", - "desc": "[\"Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not permit direct\nlogons to the root account using remote access via SSH.", + "__new": "The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH." + }, + "desc": { + "__old": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "__new": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system." + }, "descs": { - "check": "Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.", - "fix": "Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by extending the policy of not logging on directly\nas root. In addition, logging on with a user-specific account provides\nindividual accountability of actions performed on the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify remote access using SSH prevents users from logging on directly as\nroot.\n\n Check that SSH prevents users from logging on directly as root with the\nfollowing command:\n\n # grep -i permitrootlogin /etc/ssh/sshd_config\n PermitRootLogin no\n\n If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is\ncommented out, this is a finding.", + "__new": "Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure SSH to stop users from logging on remotely as the root user.\n\n Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the\nline for the \"PermitRootLogin\" keyword and set its value to \"no\" (this file\nmay be named differently or be in a different location if using a version of\nSSH that is provided by a third-party vendor):\n\n PermitRootLogin no\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"PermitRootLogin\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72249": { + "describe__deleted": " describe sshd_config do\n its('IgnoreUserKnownHosts') { should cmp 'yes' }\n end", "tags": { - "check_id": "C-72483r1_chk", - "severity": "medium", - "gid": "V-72249", - "rid": "SV-86873r3_rule", - "stig_id": "RHEL-07-040380", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78603r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72483r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72249" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not allow authentication using known hosts\nauthentication.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication." + }, + "desc": { + "__old": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "__new": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere." + }, "descs": { - "check": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.", - "fix": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "Configuring this setting for the SSH daemon provides additional\nassurance that remote logon via SSH will require a password, even in the event\nof misconfiguration elsewhere.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon does not allow authentication using known hosts\nauthentication.\n\n To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set,\nrun the following command:\n\n # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\n IgnoreUserKnownHosts yes\n\n If the value is returned as \"no\", the returned line is commented out, or\nno output is returned, this is a finding.", + "__new": "Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding." + }, + "fix": { + "__old": "Configure the SSH daemon to not allow authentication using known hosts\nauthentication.\n\n Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line\nand set the value to \"yes\":\n\n IgnoreUserKnownHosts yes\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72251": { + "describe__deleted": " if os.release.to_f >= 7.4\n impact 0.0\n describe \"The release is #{os.release}\" do\n skip \"The release is newer than 7.4; this control is Not Applicable.\"\n end\n else\n describe sshd_config do\n its('Protocol') { should cmp '2' }\n end\n end", "tags": { - "check_id": "C-72485r2_chk", - "severity": "high", - "gid": "V-72251", - "rid": "SV-86875r4_rule", - "stig_id": "RHEL-07-040390", - "gtitle": "SRG-OS-000074-GPOS-00042", - "fix_id": "F-78605r2_fix", - "cci": [ - "CCI-000197", - "CCI-000366" - ], - "nist": [ - "IA-5 (1) (c)", - "CM-6 b" - ] + "check_id__added": "C-72485r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72251" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.", - "desc": "[\"SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\\n\\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon is configured to only use the SSHv2 protocol.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol." + }, + "desc": { + "__old": "SSHv1 is an insecure implementation of the SSH protocol and has many\nwell-known vulnerability exploits. Exploits of the SSH daemon could provide\nimmediate root access to the system.", + "__new": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\n" + }, "descs": { - "check": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than \"Protocol 2\" is uncommented, this is a finding.", - "fix": "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The \"Protocol\" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "SSHv1 is an insecure implementation of the SSH protocol and has many\nwell-known vulnerability exploits. Exploits of the SSH daemon could provide\nimmediate root access to the system.", + "rationale__deleted": "", + "check": { + "__old": "Check the version of the operating system with the following command:\n\n # cat /etc/redhat-release\n\n If the release is 7.4 or newer this requirement is Not Applicable.\n\n Verify the SSH daemon is configured to only use the SSHv2 protocol.\n\n Check that the SSH daemon is configured to only use the SSHv2 protocol with\nthe following command:\n\n # grep -i protocol /etc/ssh/sshd_config\n Protocol 2\n #Protocol 1,2\n\n If any protocol line other than \"Protocol 2\" is uncommented, this is a\nfinding.", + "__new": "Check the version of the operating system with the following command:\n\n# cat /etc/redhat-release\n\nIf the release is 7.4 or newer this requirement is Not Applicable.\n\nVerify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than \"Protocol 2\" is uncommented, this is a finding." + }, + "fix": { + "__old": "Remove all Protocol lines that reference version \"1\" in\n\"/etc/ssh/sshd_config\" (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor). The \"Protocol\" line must be as follows:\n\n Protocol 2\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The \"Protocol\" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72253": { + "describe__deleted": " @macs = inspec.sshd_config.params(\"macs\")\n if @macs.nil?\n # fail fast\n describe 'The `sshd_config` setting for `MACs`' do\n subject { @macs }\n it 'should be explicitly set and not commented out' do\n expect(subject).not_to be_nil\n end\n end\n else\n @macs.first.split(\",\").each do |mac|\n describe mac do\n it { should be_in ['hmac-sha2-256', 'hmac-sha2-512'] }\n end\n end\n end", "tags": { - "check_id": "C-72487r5_chk", - "severity": "medium", - "gid": "V-72253", - "rid": "SV-86877r3_rule", - "stig_id": "RHEL-07-040400", - "gtitle": "SRG-OS-000250-GPOS-00093", - "fix_id": "F-78607r2_fix", - "cci": [ - "CCI-001453" - ], - "nist": [ - "AC-17 (2)" - ] + "check_id__added": "C-72487r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72253" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", - "desc": "[\"DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon is configured to only use Message Authentication Codes\n(MACs) employing FIPS 140-2 approved cryptographic hash algorithms.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." + }, + "desc": { + "__old": "DoD information systems are required to use FIPS 140-2 approved\ncryptographic hash functions. The only SSHv2 hash algorithm meeting this\nrequirement is SHA.", + "__new": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA." + }, "descs": { - "check": "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed or the returned line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or \"hmac-sha2-512\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "DoD information systems are required to use FIPS 140-2 approved\ncryptographic hash functions. The only SSHv2 hash algorithm meeting this\nrequirement is SHA.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon is configured to only use MACs employing FIPS\n140-2-approved ciphers.\n\n Note: If RHEL-07-021350 is a finding, this is automatically a finding as\nthe system cannot implement FIPS 140-2-approved cryptographic algorithms and\nhashes.\n\n Check that the SSH daemon is configured to only use MACs employing FIPS\n140-2-approved ciphers with the following command:\n\n # grep -i macs /etc/ssh/sshd_config\n MACs hmac-sha2-256,hmac-sha2-512\n\n If any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed\nor the returned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or\n\"hmac-sha2-512\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n MACs hmac-sha2-256,hmac-sha2-512\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or \"hmac-sha2-512\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72255": { + "describe__deleted": " pub_files = command(\"find /etc/ssh -xdev -name '*.pub' -perm /133\").stdout.split(\"\\n\")\n if !pub_files.nil? and !pub_files.empty?\n pub_files.each do |pubfile|\n describe file(pubfile) do\n it { should_not be_executable.by('owner') }\n it { should_not be_executable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('others') }\n it { should_not be_writable.by('others') }\n end\n end\n else\n describe \"No files have a more permissive mode.\" do\n subject { pub_files.nil? or pub_files.empty? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72489r2_chk", - "severity": "medium", - "gid": "V-72255", - "rid": "SV-86879r2_rule", - "stig_id": "RHEL-07-040410", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78609r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72489r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72255" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.", - "desc": "[\"If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH public host key files have mode 0644 or less permissive.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." + }, + "desc": { + "__old": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", + "__new": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised." + }, "descs": { - "check": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than \"0644\", this is a finding.", - "fix": "Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub" + "default__deleted": "If a public host key file is modified by an unauthorized user, the SSH\nservice may be compromised.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n\n Note: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\n The following command will find all SSH public key files on the system:\n\n # find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n\n -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\n If any file has a mode more permissive than \"0644\", this is a finding.", + "__new": "Verify the SSH public host key files have mode \"0644\" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name '*.pub' -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than \"0644\", this is a finding." + }, + "fix": { + "__old": "Note: SSH public key files may be found in other directories on the system\ndepending on the installation.\n\n Change the mode of public host key files under \"/etc/ssh\" to \"0644\"\nwith the following command:\n\n # chmod 0644 /etc/ssh/*.key.pub", + "__new": "Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub" + } } }, "V-72257": { + "describe__deleted": " key_files = command(\"find /etc/ssh -xdev -name '*ssh_host*key'\").stdout.split(\"\\n\")\n if !key_files.nil? and !key_files.empty?\n key_files.each do |keyfile|\n describe file(keyfile) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n else\n describe \"No files have a more permissive mode.\" do\n subject { key_files.nil? or key_files.empty? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72491r4_chk", - "severity": "medium", - "gid": "V-72257", - "rid": "SV-86881r3_rule", - "stig_id": "RHEL-07-040420", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78611r5_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72491r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72257" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.", - "desc": "[\"If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH private host key files have mode 0640 or less permissive.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." + }, + "desc": { + "__old": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "__new": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated." + }, "descs": { - "check": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n# find / -name '*ssh_host*key' | xargs ls -lL\n\n-rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.", - "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key" + "default__deleted": "If an unauthorized user obtains the private SSH host key file, the\nhost could be impersonated.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\n The following command will find all SSH private key files on the system and\nlist their modes:\n\n # find / -name '*ssh_host*key' | xargs ls -lL\n\n -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\n If any file has a mode more permissive than \"0640\", this is a finding.", + "__new": "Verify the SSH private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system and list their modes:\n\n# find / -name '*ssh_host*key' | xargs ls -lL\n\n-rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding." + }, + "fix": { + "__old": "Configure the mode of SSH private host key files under \"/etc/ssh\" to\n\"0640\" with the following command:\n\n # chmod 0640 /path/to/file/ssh_host*key", + "__new": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n# chmod 0640 /path/to/file/ssh_host*key" + } } }, "V-72259": { + "describe__deleted": " if input('gssapi_approved')\n describe sshd_config do\n its('GSSAPIAuthentication') { should cmp 'no' }\n end\n else\n impact 0.0\n describe \"GSSAPI authentication is not approved\" do\n skip \"GSSAPI authentication is not approved, this control is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72493r1_chk", - "severity": "medium", - "gid": "V-72259", - "rid": "SV-86883r3_rule", - "stig_id": "RHEL-07-040430", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78613r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72493r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72259" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.", - "desc": "[\"GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not permit Generic Security Service Application\nProgram Interface (GSSAPI) authentication unless needed.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." + }, + "desc": { + "__old": "GSSAPI authentication is used to provide additional authentication\nmechanisms to applications. Allowing GSSAPI authentication through SSH exposes\nthe system's GSSAPI to remote hosts, increasing the attack surface of the\nsystem. GSSAPI authentication must be disabled unless needed.", + "__new": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed." + }, "descs": { - "check": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." + "default__deleted": "GSSAPI authentication is used to provide additional authentication\nmechanisms to applications. Allowing GSSAPI authentication through SSH exposes\nthe system's GSSAPI to remote hosts, increasing the attack surface of the\nsystem. GSSAPI authentication must be disabled unless needed.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\n Check that the SSH daemon does not permit GSSAPI authentication with the\nfollowing command:\n\n # grep -i gssapiauth /etc/ssh/sshd_config\n GSSAPIAuthentication no\n\n If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and\nis not documented with the Information System Security Officer (ISSO), or the\nreturned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\"\n(this file may be named differently or be in a different location if using a\nversion of SSH that is provided by a third-party vendor) and set the value to\n\"no\":\n\n GSSAPIAuthentication no\n\n The SSH service must be restarted for changes to take effect.\n\n If GSSAPI authentication is required, it must be documented, to include the\nlocation of the configuration file, with the ISSO.", + "__new": "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." + } } }, "V-72261": { + "describe__deleted": " describe sshd_config do\n its('KerberosAuthentication') { should cmp 'no' }\n end", "tags": { - "check_id": "C-72495r1_chk", - "severity": "medium", - "gid": "V-72261", - "rid": "SV-86885r3_rule", - "stig_id": "RHEL-07-040440", - "gtitle": "SRG-OS-000364-GPOS-00151", - "fix_id": "F-78615r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72495r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72261" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.", - "desc": "[\"Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not permit Kerberos authentication unless needed.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed." + }, + "desc": { + "__old": "Kerberos authentication for SSH is often implemented using Generic\nSecurity Service Application Program Interface (GSSAPI). If Kerberos is enabled\nthrough SSH, the SSH daemon provides a means of access to the system's Kerberos\nimplementation. Vulnerabilities in the system's Kerberos implementation may\nthen be subject to exploitation. To reduce the attack surface of the system,\nthe Kerberos authentication mechanism within SSH must be disabled for systems\nnot using this capability.", + "__new": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability." + }, "descs": { - "check": "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." + "default__deleted": "Kerberos authentication for SSH is often implemented using Generic\nSecurity Service Application Program Interface (GSSAPI). If Kerberos is enabled\nthrough SSH, the SSH daemon provides a means of access to the system's Kerberos\nimplementation. Vulnerabilities in the system's Kerberos implementation may\nthen be subject to exploitation. To reduce the attack surface of the system,\nthe Kerberos authentication mechanism within SSH must be disabled for systems\nnot using this capability.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon does not permit Kerberos to authenticate passwords\nunless approved.\n\n Check that the SSH daemon does not permit Kerberos to authenticate\npasswords with the following command:\n\n # grep -i kerberosauth /etc/ssh/sshd_config\n KerberosAuthentication no\n\n If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\"\nand is not documented with the Information System Security Officer (ISSO), or\nthe returned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"KerberosAuthentication\" keyword in\n\"/etc/ssh/sshd_config\" (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor) and set the value to \"no\":\n\n KerberosAuthentication no\n\n The SSH service must be restarted for changes to take effect.\n\n If Kerberos authentication is required, it must be documented, to include\nthe location of the configuration file, with the ISSO.", + "__new": "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO." + } } }, "V-72263": { + "describe__deleted": " describe sshd_config do\n its('StrictModes') { should cmp 'yes' }\n end", "tags": { - "check_id": "C-72497r6_chk", - "severity": "medium", - "gid": "V-72263", - "rid": "SV-86887r3_rule", - "stig_id": "RHEL-07-040450", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78617r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72497r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72263" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.", - "desc": "[\"If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon performs strict mode checking of home directory\nconfiguration files.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files." + }, + "desc": { + "__old": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "__new": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user." + }, "descs": { - "check": "Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"sshd_config\" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"yes\":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "If other users have access to modify user-specific SSH configuration\nfiles, they may be able to log on to the system as another user.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon performs strict mode checking of home directory\nconfiguration files.\n\n The location of the \"sshd_config\" file may vary if a different daemon is\nin use.\n\n Inspect the \"sshd_config\" file with the following command:\n\n # grep -i strictmodes /etc/ssh/sshd_config\n\n StrictModes yes\n\n If \"StrictModes\" is set to \"no\", is missing, or the returned line is\ncommented out, this is a finding.", + "__new": "Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the \"sshd_config\" file may vary if a different daemon is in use.\n\nInspect the \"sshd_config\" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this\nfile may be named differently or be in a different location if using a version\nof SSH that is provided by a third-party vendor) and set the value to \"yes\":\n\n StrictModes yes\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"yes\":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72265": { + "describe__deleted": " describe.one do\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'sandbox' }\n end\n describe sshd_config do\n its('UsePrivilegeSeparation') { should cmp 'yes' }\n end\n end", "tags": { - "check_id": "C-72499r3_chk", - "severity": "medium", - "gid": "V-72265", - "rid": "SV-86889r3_rule", - "stig_id": "RHEL-07-040460", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78619r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72499r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72265" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.", - "desc": "[\"SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon uses privilege separation.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation." + }, + "desc": { + "__old": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", + "__new": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section." + }, "descs": { - "check": "Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"sandbox\" or \"yes\":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "SSH daemon privilege separation causes the SSH process to drop root\nprivileges when not needed, which would decrease the impact of software\nvulnerabilities in the unprivileged section.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon performs privilege separation.\n\n Check that the SSH daemon performs privilege separation with the following\ncommand:\n\n # grep -i usepriv /etc/ssh/sshd_config\n\n UsePrivilegeSeparation sandbox\n\n If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or\nthe returned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"UsePrivilegeSeparation\" keyword in\n\"/etc/ssh/sshd_config\" (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party\nvendor) and set the value to \"sandbox\" or \"yes\":\n\n UsePrivilegeSeparation sandbox\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"sandbox\" or \"yes\":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72267": { + "describe__deleted": " describe.one do\n describe sshd_config do\n its('Compression') { should cmp 'delayed' }\n end\n describe sshd_config do\n its('Compression') { should cmp 'no' }\n end\n end", "tags": { - "check_id": "C-72501r2_chk", - "severity": "medium", - "gid": "V-72267", - "rid": "SV-86891r3_rule", - "stig_id": "RHEL-07-040470", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78621r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72501r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72267" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.", - "desc": "[\"If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not allow compression or only allows compression after\nsuccessful authentication.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication." + }, + "desc": { + "__old": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", + "__new": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges." + }, "descs": { - "check": "Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", - "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect." + "default__deleted": "If compression is allowed in an SSH connection prior to\nauthentication, vulnerabilities in the compression software could result in\ncompromise of the system from an unauthenticated connection, potentially with\nroot privileges.", + "rationale__deleted": "", + "check": { + "__old": "Verify the SSH daemon performs compression after a user successfully\nauthenticates.\n\n Check that the SSH daemon performs compression after a user successfully\nauthenticates with the following command:\n\n # grep -i compression /etc/ssh/sshd_config\n Compression delayed\n\n If the \"Compression\" keyword is set to \"yes\", is missing, or the\nreturned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this\nfile may be named differently or be in a different location if using a version\nof SSH that is provided by a third-party vendor) on the system and set the\nvalue to \"delayed\" or \"no\":\n\n Compression no\n\n The SSH service must be restarted for changes to take effect.", + "__new": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect." + } } }, "V-72269": { + "describe__deleted": " # Either ntpd or chronyd should be running\n describe.one do\n [service('ntpd'), service('chronyd')].each do |time_service|\n describe time_service do\n it { should be_running }\n it { should be_enabled }\n it { should be_installed }\n end\n end\n end\n\n if service('ntpd').installed?\n time_service = service('ntpd')\n time_sources = ntp_conf('/etc/ntp.conf').server\n max_poll_values = time_sources.map { |val| val.match?(/.*maxpoll.*/) ? val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,'\\1').to_i : 99 }\n ntpdate_crons = command('grep -l \"ntpd -q\" /etc/cron.daily/*').stdout.strip.lines\n\n describe \"ntpd time sources list\" do\n subject { time_sources }\n it { should_not be_empty }\n end\n\n describe.one do\n # Case where maxpoll empty\n describe \"Daily cron jobs for 'ntpd -q'\" do\n subject { ntpdate_crons }\n it { should_not be_empty }\n end\n # All time sources must contain valid maxpoll entries\n describe \"ntpd maxpoll values (99=maxpoll absent)\" do\n subject { max_poll_values }\n it { should all be < 17 }\n end\n end\n end\n\n if service('chronyd').installed?\n time_service = service('chronyd')\n time_sources = ntp_conf('/etc/chrony.conf').server\n max_poll_values = time_sources.map { |val| val.match?(/.*maxpoll.*/) ? val.gsub(/.*maxpoll\\s+(\\d+)(\\s+.*|$)/,'\\1').to_i : 99 }\n\n describe \"chronyd time sources list\" do\n subject { time_sources }\n it { should_not be_empty }\n end\n \n # All time sources must contain valid maxpoll entries\n describe \"chronyd maxpoll values (99=maxpoll absent)\" do\n subject { max_poll_values }\n it { should all be < 17 }\n end\n end", "tags": { - "check_id": "C-72503r6_chk", - "severity": "medium", - "gid": "V-72269", - "rid": "SV-86893r5_rule", - "stig_id": "RHEL-07-040500", - "gtitle": "SRG-OS-000355-GPOS-00143", - "fix_id": "F-78623r5_fix", - "cci": [ - "CCI-001891", - "CCI-002046" - ], - "nist": [ - "AU-8 (1) (a)", - "AU-8 (1) (b)" - ] + "check_id__added": "C-72503r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72269" - ], - "title": "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).", - "desc": "[\"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\\n\\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\\n\\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\\n\\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must, for networked\nsystems, synchronize clocks with a server that is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, a time server\ndesignated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global\nPositioning System (GPS).", + "__new": "The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + }, + "desc": { + "__old": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", + "__new": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\n" + }, "descs": { - "check": "Check to see if NTP is running in continuous mode:\n\n# ps -ef | grep ntp\n\nIf NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n\n# ps -ef | grep chronyd\n\nIf NTP or \"chronyd\" is not running, this is a finding.\n\nIf the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/ntp.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is set to \"17\" or is not set, this is a finding.\n\nIf the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of the \"ntpd -q\" command.\n\n# grep -i \"ntpd -q\" /etc/cron.daily/*\n# ls -al /etc/cron.* | grep ntp\n\nntp\n\nIf a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n\nIf the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/chrony.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is not set or the line is commented out, this is a finding.", - "fix": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to \"10\" as follows:\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n\n# systemctl restart ntpd\n\nIf NTP was not running, it must be started:\n\n# systemctl start ntpd \n\nIf \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n\n# systemctl restart chronyd.service\n\nIf \"chronyd\" was not running, it must be started:\n\n# systemctl start chronyd.service" + "default__deleted": "Inaccurate time stamps make it more difficult to correlate events and\ncan lead to an inaccurate analysis. Determining the correct time a particular\nevent occurred on a system is critical when conducting forensic analysis and\ninvestigating system events. Sources outside the configured acceptable\nallowance (drift) may be inaccurate.\n\n Synchronizing internal information system clocks provides uniformity of\ntime stamps for information systems with multiple system clocks and systems\nconnected over a network.\n\n Organizations should consider endpoints that may not have regular access to\nthe authoritative time server (e.g., mobile, teleworking, and tactical\nendpoints).", + "rationale__deleted": "", + "check": { + "__old": "Check to see if NTP is running in continuous mode:\n\n # ps -ef | grep ntp\n\n If NTP is not running, check to see if \"chronyd\" is running in continuous\nmode:\n\n # ps -ef | grep chronyd\n\n If NTP or \"chronyd\" is not running, this is a finding.\n\n If the NTP process is found, then check the \"ntp.conf\" file for the\n\"maxpoll\" option setting:\n\n # grep maxpoll /etc/ntp.conf\n\n server 0.rhel.pool.ntp.org iburst maxpoll 10\n\n If the option is set to \"17\" or is not set, this is a finding.\n\n If the file does not exist, check the \"/etc/cron.daily\" subdirectory for\na crontab file controlling the execution of the \"ntpd -q\" command.\n\n # grep -i \"ntpd -q\" /etc/cron.daily/*\n # ls -al /etc/cron.* | grep ntp\n\n ntp\n\n If a crontab file does not exist in the \"/etc/cron.daily\" that executes\nthe \"ntpd -q\" command, this is a finding.\n\n If the \"chronyd\" process is found, then check the \"chrony.conf\" file\nfor the \"maxpoll\" option setting:\n\n # grep maxpoll /etc/chrony.conf\n\n server 0.rhel.pool.ntp.org iburst maxpoll 10\n\n If the option is not set or the line is commented out, this is a finding.", + "__new": "Check to see if NTP is running in continuous mode:\n\n# ps -ef | grep ntp\n\nIf NTP is not running, check to see if \"chronyd\" is running in continuous mode:\n\n# ps -ef | grep chronyd\n\nIf NTP or \"chronyd\" is not running, this is a finding.\n\nIf the NTP process is found, then check the \"ntp.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/ntp.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is set to \"17\" or is not set, this is a finding.\n\nIf the file does not exist, check the \"/etc/cron.daily\" subdirectory for a crontab file controlling the execution of the \"ntpd -q\" command.\n\n# grep -i \"ntpd -q\" /etc/cron.daily/*\n# ls -al /etc/cron.* | grep ntp\n\nntp\n\nIf a crontab file does not exist in the \"/etc/cron.daily\" that executes the \"ntpd -q\" command, this is a finding.\n\nIf the \"chronyd\" process is found, then check the \"chrony.conf\" file for the \"maxpoll\" option setting:\n\n# grep maxpoll /etc/chrony.conf\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf the option is not set or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update\nan entry to define \"maxpoll\" to \"10\" as follows:\n\n server 0.rhel.pool.ntp.org iburst maxpoll 10\n\n If NTP was running and \"maxpoll\" was updated, the NTP service must be\nrestarted:\n\n # systemctl restart ntpd\n\n If NTP was not running, it must be started:\n\n # systemctl start ntpd\n\n If \"chronyd\" was running and \"maxpoll\" was updated, the service must be\nrestarted:\n\n # systemctl restart chronyd.service\n\n If \"chronyd\" was not running, it must be started:\n\n # systemctl start chronyd.service", + "__new": "Edit the \"/etc/ntp.conf\" or \"/etc/chrony.conf\" file and add or update an entry to define \"maxpoll\" to \"10\" as follows:\n\nserver 0.rhel.pool.ntp.org iburst maxpoll 10\n\nIf NTP was running and \"maxpoll\" was updated, the NTP service must be restarted:\n\n# systemctl restart ntpd\n\nIf NTP was not running, it must be started:\n\n# systemctl start ntpd \n\nIf \"chronyd\" was running and \"maxpoll\" was updated, the service must be restarted:\n\n# systemctl restart chronyd.service\n\nIf \"chronyd\" was not running, it must be started:\n\n# systemctl start chronyd.service" + } } }, "V-72273": { + "describe__deleted": " describe.one do\n describe package('firewalld') do\n it { should be_installed }\n end\n describe package('iptables') do\n it { should be_installed }\n end\n end\n describe.one do\n describe systemd_service('firewalld.service') do\n it { should be_running }\n end\n\tdescribe systemd_service('iptables.service') do\n it { should be_running }\n end\n end", "tags": { - "check_id": "C-72507r1_chk", - "severity": "medium", - "gid": "V-72273", - "rid": "SV-86897r2_rule", - "stig_id": "RHEL-07-040520", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78627r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72507r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72273" - ], - "title": "The Red Hat Enterprise Linux operating system must enable an application firewall, if available.", - "desc": "[\"Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.\\n\\nSatisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must enable an\napplication firewall, if available.", + "__new": "The Red Hat Enterprise Linux operating system must enable an application firewall, if available." + }, + "desc": { + "__old": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", + "__new": "Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.\n\n" + }, "descs": { - "check": "Verify the operating system enabled an application firewall.\n\nCheck to see if \"firewalld\" is installed with the following command:\n\n# yum list installed firewalld\nfirewalld-0.3.9-11.el7.noarch.rpm\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. \n\nIf an application firewall is not installed, this is a finding. \n\nCheck to see if the firewall is loaded and active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\n\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n\nIf \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding. \n\nCheck the state of the firewall:\n\n# firewall-cmd --state \nrunning\n\nIf \"firewalld\" does not show a state of \"running\", this is a finding.", - "fix": "Ensure the operating system's application firewall is enabled.\n\nInstall the \"firewalld\" package, if it is not on the system, with the following command:\n\n# yum install firewalld\n\nStart the firewall via \"systemctl\" with the following command:\n\n# systemctl start firewalld" + "default__deleted": "Firewalls protect computers from network attacks by blocking or\nlimiting access to open network ports. Application firewalls limit which\napplications are allowed to communicate over the network.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system enabled an application firewall.\n\n Check to see if \"firewalld\" is installed with the following command:\n\n # yum list installed firewalld\n firewalld-0.3.9-11.el7.noarch.rpm\n\n If the \"firewalld\" package is not installed, ask the System Administrator\nif another firewall application (such as iptables) is installed.\n\n If an application firewall is not installed, this is a finding.\n\n Check to see if the firewall is loaded and active with the following\ncommand:\n\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n\n If \"firewalld\" does not show a status of \"loaded\" and \"active\", this\nis a finding.\n\n Check the state of the firewall:\n\n # firewall-cmd --state\n running\n\n If \"firewalld\" does not show a state of \"running\", this is a finding.", + "__new": "Verify the operating system enabled an application firewall.\n\nCheck to see if \"firewalld\" is installed with the following command:\n\n# yum list installed firewalld\nfirewalld-0.3.9-11.el7.noarch.rpm\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. \n\nIf an application firewall is not installed, this is a finding. \n\nCheck to see if the firewall is loaded and active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\n\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago\n\nIf \"firewalld\" does not show a status of \"loaded\" and \"active\", this is a finding. \n\nCheck the state of the firewall:\n\n# firewall-cmd --state \nrunning\n\nIf \"firewalld\" does not show a state of \"running\", this is a finding." + }, + "fix": { + "__old": "Ensure the operating system's application firewall is enabled.\n\n Install the \"firewalld\" package, if it is not on the system, with the\nfollowing command:\n\n # yum install firewalld\n\n Start the firewall via \"systemctl\" with the following command:\n\n # systemctl start firewalld", + "__new": "Ensure the operating system's application firewall is enabled.\n\nInstall the \"firewalld\" package, if it is not on the system, with the following command:\n\n# yum install firewalld\n\nStart the firewall via \"systemctl\" with the following command:\n\n# systemctl start firewalld" + } } }, "V-72275": { + "describe__deleted": " describe pam('/etc/pam.d/postlogin') do\n its('lines') { should match_pam_rule('session .* pam_lastlog.so showfailed') }\n end\n\n describe.one do\n describe sshd_config do\n its('PrintLastLog') { should cmp 'yes' }\n end\n\n describe pam('/etc/pam.d/postlogin') do\n its('lines') { should match_pam_rule('session .* pam_lastlog.so showfailed').all_without_args('silent') }\n end\n end", "tags": { - "check_id": "C-72509r6_chk", - "severity": "low", - "gid": "V-72275", - "rid": "SV-86899r4_rule", - "stig_id": "RHEL-07-040530", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78629r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72509r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72275" - ], - "title": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.", - "desc": "[\"Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must display the date\nand time of the last successful account logon upon logon.", + "__new": "The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." + }, + "desc": { + "__old": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", + "__new": "Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use." + }, "descs": { - "check": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that \"pam_lastlog\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/postlogin\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.", - "fix": "Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/postlogin\". \n\nAdd the following line to the top of \"/etc/pam.d/postlogin\":\n\nsession required pam_lastlog.so showfailed" + "default__deleted": "Providing users with feedback on when account accesses last occurred\nfacilitates user recognition and reporting of unauthorized account use.", + "rationale__deleted": "", + "check": { + "__old": "Verify users are provided with feedback on when account accesses last\noccurred.\n\n Check that \"pam_lastlog\" is used and not silent with the following\ncommand:\n\n # grep pam_lastlog /etc/pam.d/postlogin\n session required pam_lastlog.so showfailed\n\n If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the\nsilent option is present, this is a finding.", + "__new": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that \"pam_lastlog\" is used and not silent with the following command:\n\n# grep pam_lastlog /etc/pam.d/postlogin\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to provide users with feedback on when\naccount accesses last occurred by setting the required configuration options in\n\"/etc/pam.d/postlogin\".\n\n Add the following line to the top of \"/etc/pam.d/postlogin\":\n\n session required pam_lastlog.so showfailed", + "__new": "Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/postlogin\". \n\nAdd the following line to the top of \"/etc/pam.d/postlogin\":\n\nsession required pam_lastlog.so showfailed" + } } }, "V-72277": { + "describe__deleted": " describe command(\"find / -xdev -xautofs -name '*.shosts'\") do\n its('stdout.strip') { should be_empty }\n end", "tags": { - "check_id": "C-72511r1_chk", - "severity": "high", - "gid": "V-72277", - "rid": "SV-86901r2_rule", - "stig_id": "RHEL-07-040540", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78631r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72511r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72277" - ], - "title": "The Red Hat Enterprise Linux operating system must not contain .shosts files.", - "desc": "[\"The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not contain .shosts\nfiles.", + "__new": "The Red Hat Enterprise Linux operating system must not contain .shosts files." + }, + "desc": { + "__old": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "__new": "The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication." + }, "descs": { - "check": "Verify there are no \".shosts\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name '*.shosts'\n\nIf any \".shosts\" files are found on the system, this is a finding.", - "fix": "Remove any found \".shosts\" files from the system.\n\n# rm /[path]/[to]/[file]/.shosts" + "default__deleted": "The .shosts files are used to configure host-based authentication for\nindividual users or the system via SSH. Host-based authentication is not\nsufficient for preventing unauthorized access to the system, as it does not\nrequire interactive identification and authentication of a connection request,\nor for the use of two-factor authentication.", + "rationale__deleted": "", + "check": { + "__old": "Verify there are no \".shosts\" files on the system.\n\n Check the system for the existence of these files with the following\ncommand:\n\n # find / -name '*.shosts'\n\n If any \".shosts\" files are found on the system, this is a finding.", + "__new": "Verify there are no \".shosts\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name '*.shosts'\n\nIf any \".shosts\" files are found on the system, this is a finding." + } } }, "V-72279": { + "describe__deleted": " describe command('find / -xdev -xautofs -name shosts.equiv') do\n its('stdout.strip') { should be_empty }\n end", "tags": { - "check_id": "C-72513r1_chk", - "severity": "high", - "gid": "V-72279", - "rid": "SV-86903r2_rule", - "stig_id": "RHEL-07-040550", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78633r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72513r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72279" - ], - "title": "The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.", - "desc": "[\"The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not contain\nshosts.equiv files.", + "__new": "The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." + }, + "desc": { + "__old": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", + "__new": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication." + }, "descs": { - "check": "Verify there are no \"shosts.equiv\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf any \"shosts.equiv\" files are found on the system, this is a finding.", - "fix": "Remove any found \"shosts.equiv\" files from the system.\n\n# rm /[path]/[to]/[file]/shosts.equiv" + "default__deleted": "The shosts.equiv files are used to configure host-based authentication\nfor the system via SSH. Host-based authentication is not sufficient for\npreventing unauthorized access to the system, as it does not require\ninteractive identification and authentication of a connection request, or for\nthe use of two-factor authentication.", + "rationale__deleted": "", + "check": { + "__old": "Verify there are no \"shosts.equiv\" files on the system.\n\n Check the system for the existence of these files with the following\ncommand:\n\n # find / -name shosts.equiv\n\n If any \"shosts.equiv\" files are found on the system, this is a finding.", + "__new": "Verify there are no \"shosts.equiv\" files on the system.\n\nCheck the system for the existence of these files with the following command:\n\n# find / -name shosts.equiv\n\nIf any \"shosts.equiv\" files are found on the system, this is a finding." + } } }, "V-72281": { + "describe__deleted": " dns_in_host_line = parse_config_file(\"/etc/nsswitch.conf\",\n {\n comment_char: '#',\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n ).params['hosts'].include?('dns')\n\n describe \"If `local` resolution is being used, a `hosts` entry in /etc/nsswitch.conf having `dns`\" do\n subject { dns_in_host_line }\n it { should be false }\n end if !dns_in_host_line\n\n describe \"If `local` resoultion is being used, the /etc/resolv.conf file should\" do\n subject { parse_config_file(\"/etc/resolv.conf\", { comment_char: '#'}).params }\n it { should be_empty }\n end if !dns_in_host_line\n\n nameservers = parse_config_file(\"/etc/resolv.conf\",\n { comment_char: '#'}\n ).params.keys.grep(/nameserver/)\n\n describe \"The system's nameservers: #{nameservers}\" do\n subject { nameservers }\n it { should_not be nil }\n end if dns_in_host_line\n\n describe \"The number of nameservers\" do\n subject { nameservers.count }\n it { should cmp >= 2 }\n end if dns_in_host_line", "tags": { - "check_id": "C-72515r3_chk", - "severity": "low", - "gid": "V-72281", - "rid": "SV-86905r3_rule", - "stig_id": "RHEL-07-040600", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78635r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72515r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + }, + "rid": { + "__old": "SV-86905r2_rule", + "__new": "SV-86905r3_rule" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72281" - ], - "title": "For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.", - "desc": "[\"To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.false\"]", - "impact": 0.3, + "title": { + "__old": "For Red Hat Enterprise Linux operating systems using DNS resolution,\nat least two name servers must be configured.", + "__new": "For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." + }, + "desc": { + "__old": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "__new": "To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging." + }, "descs": { - "check": "Determine whether the system is using local or DNS name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\nVerify the \"/etc/resolv.conf\" file is empty with the following command:\n\n# ls -al /etc/resolv.conf\n-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\nIf local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# grep nameserver /etc/resolv.conf\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.\n\nVerify that the \"/etc/resolv.conf\" file is immutable with the following command:\n\n# sudo lsattr /etc/resolv.conf\n\n----i----------- /etc/resolv.conf\n\nIf the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the operating system to use two or more name servers for DNS resolution.\n\nEdit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n\n# echo -n > /etc/resolv.conf\n\nAnd then make the file immutable with the following command:\n\n# chattr +i /etc/resolv.conf\n\nIf the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool." + "default__deleted": "To provide availability for name resolution services, multiple\nredundant name servers are mandated. A failure in name resolution could lead to\nthe failure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", + "rationale__deleted": "", + "check": { + "__old": "Determine whether the system is using local or DNS name resolution with the\nfollowing command:\n\n # grep hosts /etc/nsswitch.conf\n hosts: files dns\n\n If the DNS entry is missing from the host's line in the\n\"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\n Verify the \"/etc/resolv.conf\" file is empty with the following command:\n\n # ls -al /etc/resolv.conf\n -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\n If local host authentication is being used and the \"/etc/resolv.conf\"\nfile is not empty, this is a finding.\n\n If the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\"\nfile, verify the operating system is configured to use two or more name servers\nfor DNS resolution.\n\n Determine the name servers used by the system with the following command:\n\n # grep nameserver /etc/resolv.conf\n nameserver 192.168.1.2\n nameserver 192.168.1.3\n\n If less than two lines are returned that are not commented out, this is a\nfinding.", + "__new": "Determine whether the system is using local or DNS name resolution with the following command:\n\n# grep hosts /etc/nsswitch.conf\nhosts: files dns\n\nIf the DNS entry is missing from the host's line in the \"/etc/nsswitch.conf\" file, the \"/etc/resolv.conf\" file must be empty.\n\nVerify the \"/etc/resolv.conf\" file is empty with the following command:\n\n# ls -al /etc/resolv.conf\n-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf\n\nIf local host authentication is being used and the \"/etc/resolv.conf\" file is not empty, this is a finding.\n\nIf the DNS entry is found on the host's line of the \"/etc/nsswitch.conf\" file, verify the operating system is configured to use two or more name servers for DNS resolution.\n\nDetermine the name servers used by the system with the following command:\n\n# grep nameserver /etc/resolv.conf\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf less than two lines are returned that are not commented out, this is a finding.\n\nVerify that the \"/etc/resolv.conf\" file is immutable with the following command:\n\n# sudo lsattr /etc/resolv.conf\n\n----i----------- /etc/resolv.conf\n\nIf the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding." + }, + "fix": { + "__old": "Configure the operating system to use two or more name servers for DNS\nresolution.\n\n Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more\n\"nameserver\" option lines with the IP address of local authoritative name\nservers. If local host resolution is being performed, the \"/etc/resolv.conf\"\nfile must be empty. An empty \"/etc/resolv.conf\" file can be created as\nfollows:\n\n # echo -n > /etc/resolv.conf\n\n And then make the file immutable with the following command:\n\n # chattr +i /etc/resolv.conf\n\n If the \"/etc/resolv.conf\" file must be mutable, the required\nconfiguration must be documented with the Information System Security Officer\n(ISSO) and the file must be verified by the system file integrity tool.", + "__new": "Configure the operating system to use two or more name servers for DNS resolution.\n\nEdit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n\n# echo -n > /etc/resolv.conf\n\nAnd then make the file immutable with the following command:\n\n# chattr +i /etc/resolv.conf\n\nIf the \"/etc/resolv.conf\" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool." + } } }, - "V-72283": { - "tags": { - "check_id": "C-72517r3_chk", - "severity": "medium", - "gid": "V-72283", - "rid": "SV-86907r2_rule", - "stig_id": "RHEL-07-040610", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78637r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "V-72283": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do\n its('value') { should eq 0 }\n end", + "tags": { + "check_id__added": "C-72517r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72283" - ], - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not forward\nInternet Protocol version 4 (IPv4) source-routed packets.", + "__new": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets." + }, + "desc": { + "__old": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "__new": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router." + }, "descs": { - "check": "Verify the system does not accept IPv4 source-routed packets.\n\n# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf \" net.ipv4.conf.all.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl -system" + "default__deleted": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not accept IPv4 source-routed packets.\n\n # grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n/etc/sysctl.d/*\n\n net.ipv4.conf.all.accept_source_route = 0\n\n If \" net.ipv4.conf.all.accept_source_route \" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the accept source route variable\nwith the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\n net.ipv4.conf.all.accept_source_route = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system does not accept IPv4 source-routed packets.\n\n# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf \" net.ipv4.conf.all.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl -system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl -system" + } } }, "V-72285": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-72519r2_chk", - "severity": "medium", - "gid": "V-72285", - "rid": "SV-86909r2_rule", - "stig_id": "RHEL-07-040620", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78639r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72519r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72285" - ], - "title": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not forward\nInternet Protocol version 4 (IPv4) source-routed packets by default.", + "__new": "The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." + }, + "desc": { + "__old": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "__new": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router." + }, "descs": { - "check": "Verify the system does not accept IPv4 source-routed packets by default.\n\n# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf \" net.ipv4.conf.default.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl --system" + "default__deleted": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv4\nforwarding is enabled and the system is functioning as a router.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not accept IPv4 source-routed packets by default.\n\n # grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n/etc/sysctl.d/*\n net.ipv4.conf.default.accept_source_route = 0\n\n If \" net.ipv4.conf.default.accept_source_route \" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the accept source route variable\nwith the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\n net.ipv4.conf.default.accept_source_route = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system does not accept IPv4 source-routed packets by default.\n\n# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf \" net.ipv4.conf.default.accept_source_route \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_source_route = 0 \n\nIssue the following command to make the changes take effect:\n \n# sysctl --system" + } } }, "V-72287": { + "describe__deleted": " describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do\n its('value') { should eq 1 }\n end", "tags": { - "check_id": "C-72521r2_chk", - "severity": "medium", - "gid": "V-72287", - "rid": "SV-86911r2_rule", - "stig_id": "RHEL-07-040630", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78641r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72521r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72287" - ], - "title": "The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.", - "desc": "[\"Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not respond to\nInternet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.", + "__new": "The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." + }, + "desc": { + "__old": "Responding to broadcast (ICMP) echoes facilitates network mapping and\nprovides a vector for amplification attacks.", + "__new": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks." + }, "descs": { - "check": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIssue the following command to make the changes take effect: \n\n# sysctl --system" + "default__deleted": "Responding to broadcast (ICMP) echoes facilitates network mapping and\nprovides a vector for amplification attacks.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast\naddress.\n\n # grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*\n\n If \" net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"1\", this is a finding.\n\n Check that the operating system implements the\n\"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n If the returned line does not have a value of \"1\", this is a finding.", + "__new": "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.\n\n# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.icmp_echo_ignore_broadcasts\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.icmp_echo_ignore_broadcasts = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIssue the following command to make the changes take effect: \n\n# sysctl --system" + } } }, "V-72289": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-72523r3_chk", - "severity": "medium", - "gid": "V-72289", - "rid": "SV-86913r3_rule", - "stig_id": "RHEL-07-040640", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78643r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72523r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72289" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages from being accepted.", + "__new": "The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted." + }, + "desc": { + "__old": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages modify the\nhost's route table and are unauthenticated. An illicit ICMP redirect message\ncould result in a man-in-the-middle attack.", + "__new": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack." + }, "descs": { - "check": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.default.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to not accept IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages modify the\nhost's route table and are unauthenticated. An illicit ICMP redirect message\ncould result in a man-in-the-middle attack.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n # grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf\n/etc/sysctl.d/*\n\n If \" net.ipv4.conf.default.accept_redirects \" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the value of the\n\"accept_redirects\" variables with the following command:\n\n # /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'\n net.ipv4.conf.default.accept_redirects = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system will not accept IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.default.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the value of the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Set the system to not accept IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.default.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to not accept IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-72291": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.default.send_redirects') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-72525r4_chk", - "severity": "medium", - "gid": "V-72291", - "rid": "SV-86915r4_rule", - "stig_id": "RHEL-07-040650", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78645r4_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72525r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72291" - ], - "title": "The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not allow\ninterfaces to perform Internet Protocol version 4 (IPv4) Internet Control\nMessage Protocol (ICMP) redirects by default.", + "__new": "The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." + }, + "desc": { + "__old": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages contain\ninformation from the system's route table, possibly revealing portions of the\nnetwork topology.", + "__new": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology." + }, "descs": { - "check": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'\n\nnet.ipv4.conf.default.send_redirects = 0 \n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages contain\ninformation from the system's route table, possibly revealing portions of the\nnetwork topology.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects\nby default.\n\n # grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf\n/etc/sysctl.d/*\n\n If \"net.ipv4.conf.default.send_redirects\" is not configured in the\n\"/etc/sysctl.conf\" file or in the /etc/sysctl.d/ directory, is commented out\nor does not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the \"default send_redirects\"\nvariables with the following command:\n\n # /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'\n\n net.ipv4.conf.default.send_redirects = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\n# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.default.send_redirects\" is not configured in the \"/etc/sysctl.conf\" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"default send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'\n\nnet.ipv4.conf.default.send_redirects = 0 \n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects\nby default.\n\n Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.send_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-72293": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.all.send_redirects') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-72527r3_chk", - "severity": "medium", - "gid": "V-72293", - "rid": "SV-86917r3_rule", - "stig_id": "RHEL-07-040660", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78647r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72527r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72293" - ], - "title": "The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not send Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.", + "__new": "The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." + }, + "desc": { + "__old": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages contain\ninformation from the system's route table, possibly revealing portions of the\nnetwork topology.", + "__new": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology." + }, "descs": { - "check": "Verify the system does not send IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages contain\ninformation from the system's route table, possibly revealing portions of the\nnetwork topology.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not send IPv4 ICMP redirect messages.\n\n # grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\n If \"net.ipv4.conf.all.send_redirects\" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the \"all send_redirects\"\nvariables with the following command:\n\n # /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'\n\n net.ipv4.conf.all.send_redirects = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system does not send IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \"net.ipv4.conf.all.send_redirects\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"all send_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Configure the system to not allow interfaces to perform IPv4 ICMP\nredirects.\n\n Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.send_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Configure the system to not allow interfaces to perform IPv4 ICMP redirects. \n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-72295": { + "describe__deleted": " describe command(\"ip link | grep -i promisc\") do\n its('stdout.strip') { should match %r{^$} }\n end", "tags": { - "check_id": "C-72529r1_chk", - "severity": "medium", - "gid": "V-72295", - "rid": "SV-86919r2_rule", - "stig_id": "RHEL-07-040670", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78649r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72529r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72295" - ], - "title": "Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.", - "desc": "[\"Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\\n\\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.false\"]", - "impact": 0.5, + "title": { + "__old": "Network interfaces configured on the Red Hat Enterprise Linux\noperating system must not be in promiscuous mode.", + "__new": "Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." + }, + "desc": { + "__old": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "__new": "Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\n\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel." + }, "descs": { - "check": "Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.", - "fix": "Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n\nSet the promiscuous mode of an interface to off with the following command:\n\n#ip link set dev multicast off promisc off" + "default__deleted": "Network interfaces in promiscuous mode allow for the capture of all\nnetwork traffic visible to the system. If unauthorized individuals can access\nthese applications, it may allow then to collect information such as logon IDs,\npasswords, and key exchanges between systems.\n\n If the system is being used to perform a network troubleshooting function,\nthe use of these tools must be documented with the Information System Security\nOfficer (ISSO) and restricted to only authorized personnel.", + "rationale__deleted": "", + "check": { + "__old": "Verify network interfaces are not in promiscuous mode unless approved by\nthe ISSO and documented.\n\n Check for the status with the following command:\n\n # ip link | grep -i promisc\n\n If network interfaces are found on the system in promiscuous mode and their\nuse has not been approved by the ISSO and documented, this is a finding.", + "__new": "Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n\nCheck for the status with the following command:\n\n# ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding." + }, + "fix": { + "__old": "Configure network interfaces to turn off promiscuous mode unless approved\nby the ISSO and documented.\n\n Set the promiscuous mode of an interface to off with the following command:\n\n #ip link set dev multicast off promisc off", + "__new": "Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n\nSet the promiscuous mode of an interface to off with the following command:\n\n#ip link set dev multicast off promisc off" + } } }, "V-72297": { + "describe__deleted": " # Only permit_mynetworks and reject should be allowed\n describe.one do\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') { should match %r{^smtpd_client_restrictions\\s+=\\s+permit_mynetworks,\\s*reject\\s*$} }\n end\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') { should match %r{^smtpd_client_restrictions\\s+=\\s+permit_mynetworks\\s*$} }\n end\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') { should match %r{^smtpd_client_restrictions\\s+=\\s+reject\\s*$} }\n end\n describe command('postconf -n smtpd_client_restrictions') do\n its('stdout.strip') { should match %r{^smtpd_client_restrictions\\s+=\\s+reject,\\s*permit_mynetworks\\s*$} }\n end\n end if package('postfix').installed?\n\n describe \"The `postfix` package is not installed\" do\n skip \"The `postfix` package is not installed, this control is Not Applicable\"\n end if !package('postfix').installed?", "tags": { - "check_id": "C-72531r3_chk", - "severity": "medium", - "gid": "V-72297", - "rid": "SV-86921r3_rule", - "stig_id": "RHEL-07-040680", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78651r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72531r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72297" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.", - "desc": "[\"If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\nprevent unrestricted mail relaying.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." + }, + "desc": { + "__old": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "__new": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity." + }, "descs": { - "check": "Verify the system is configured to prevent unrestricted mail relaying.\n\nDetermine if \"postfix\" is installed with the following commands:\n\n# yum list installed postfix\npostfix-2.6.6-6.el7.x86_64.rpm \n\nIf postfix is not installed, this is Not Applicable.\n\nIf postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\nsmtpd_client_restrictions = permit_mynetworks, reject\n\nIf the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this is a finding.", - "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to the local network with the following command:\n\n# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + "default__deleted": "If unrestricted mail relaying is permitted, unauthorized senders could\nuse this host as a mail relay for the purpose of sending spam or other\nunauthorized activity.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system is configured to prevent unrestricted mail relaying.\n\n Determine if \"postfix\" is installed with the following commands:\n\n # yum list installed postfix\n postfix-2.6.6-6.el7.x86_64.rpm\n\n If postfix is not installed, this is Not Applicable.\n\n If postfix is installed, determine if it is configured to reject\nconnections from unknown or untrusted networks with the following command:\n\n # postconf -n smtpd_client_restrictions\n smtpd_client_restrictions = permit_mynetworks, reject\n\n If the \"smtpd_client_restrictions\" parameter contains any entries other\nthan \"permit_mynetworks\" and \"reject\", this is a finding.", + "__new": "Verify the system is configured to prevent unrestricted mail relaying.\n\nDetermine if \"postfix\" is installed with the following commands:\n\n# yum list installed postfix\npostfix-2.6.6-6.el7.x86_64.rpm \n\nIf postfix is not installed, this is Not Applicable.\n\nIf postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:\n\n# postconf -n smtpd_client_restrictions\nsmtpd_client_restrictions = permit_mynetworks, reject\n\nIf the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this is a finding." + }, + "fix": { + "__old": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to\nrestrict client connections to the local network with the following command:\n\n # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'", + "__new": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to the local network with the following command:\n\n# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + } } }, "V-72299": { + "describe__deleted": " describe.one do\n describe package('vsftpd') do\n it { should_not be_installed }\n end\n describe parse_config_file('/etc/vsftpd/vsftpd.conf') do\n its('ssl_enable') { should cmp 'YES' }\n its('force_anon_data_ssl') { should cmp 'YES' }\n its('force_anon_logins_ssl') { should cmp 'YES' }\n its('force_local_data_ssl') { should cmp 'YES' }\n its('force_local_logins_ssl') { should cmp 'YES' }\n end\n end", "tags": { - "check_id": "C-72533r3_chk", - "severity": "high", - "gid": "V-72299", - "rid": "SV-86923r3_rule", - "stig_id": "RHEL-07-040690", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78653r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72533r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72299" - ], - "title": "The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.", - "desc": "[\"The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have a File\nTransfer Protocol (FTP) server package installed unless needed.", + "__new": "The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed." + }, + "desc": { + "__old": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", + "__new": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service." + }, "descs": { - "check": "Verify an FTP server has not been installed on the system.\n\nCheck to see if an FTP server has been installed with the following commands:\n\n# yum list installed vsftpd\n\n vsftpd-3.0.2.el7.x86_64.rpm\n\nIf \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system with the following command:\n\n# yum remove vsftpd" + "default__deleted": "The FTP service provides an unencrypted remote access that does not\nprovide for the confidentiality and integrity of user passwords or the remote\nsession. If a privileged user were to log on using this service, the privileged\nuser password could be compromised. SSH or other encrypted file transfer\nmethods must be used in place of this service.", + "rationale__deleted": "", + "check": { + "__old": "Verify an FTP server has not been installed on the system.\n\n Check to see if an FTP server has been installed with the following\ncommands:\n\n # yum list installed vsftpd\n\n vsftpd-3.0.2.el7.x86_64.rpm\n\n If \"vsftpd\" is installed and is not documented with the Information\nSystem Security Officer (ISSO) as an operational requirement, this is a finding.", + "__new": "Verify an FTP server has not been installed on the system.\n\nCheck to see if an FTP server has been installed with the following commands:\n\n# yum list installed vsftpd\n\n vsftpd-3.0.2.el7.x86_64.rpm\n\nIf \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Document the \"vsftpd\" package with the ISSO as an operational requirement\nor remove it from the system with the following command:\n\n # yum remove vsftpd", + "__new": "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system with the following command:\n\n# yum remove vsftpd" + } } }, "V-72301": { + "describe__deleted": " describe package('tftp-server') do\n it { should_not be_installed }\n end", "tags": { - "check_id": "C-72535r1_chk", - "severity": "high", - "gid": "V-72301", - "rid": "SV-86925r2_rule", - "stig_id": "RHEL-07-040700", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78655r2_fix", - "cci": [ - "CCI-000318", - "CCI-000368", - "CCI-001812", - "CCI-001813", - "CCI-001814" - ], + "check_id__added": "C-72535r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + }, "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)" + [ + " " + ], + [ + " " + ], + [ + " " + ], + [ + "+", + "CM-5 (1) (a)" + ], + [ + " " + ], + [ + "-", + "CM-5 (1)" + ] ] }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72301" - ], - "title": "The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.", - "desc": "[\"If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have the\nTrivial File Transfer Protocol (TFTP) server package installed if not required\nfor operational support.", + "__new": "The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support." + }, + "desc": { + "__old": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "__new": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established." + }, "descs": { - "check": "Verify a TFTP server has not been installed on the system.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# yum list installed tftp-server\ntftp-server-0.49-9.el7.x86_64.rpm\n\nIf TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.", - "fix": "Remove the TFTP package from the system with the following command:\n\n# yum remove tftp-server" + "default__deleted": "If TFTP is required for operational support (such as the transmission\nof router configurations) its use must be documented with the Information\nSystem Security Officer (ISSO), restricted to only authorized personnel, and\nhave access control rules established.", + "rationale__deleted": "", + "check": { + "__old": "Verify a TFTP server has not been installed on the system.\n\n Check to see if a TFTP server has been installed with the following command:\n\n # yum list installed tftp-server\n tftp-server-0.49-9.el7.x86_64.rpm\n\n If TFTP is installed and the requirement for TFTP is not documented with\nthe ISSO, this is a finding.", + "__new": "Verify a TFTP server has not been installed on the system.\n\nCheck to see if a TFTP server has been installed with the following command:\n\n# yum list installed tftp-server\ntftp-server-0.49-9.el7.x86_64.rpm\n\nIf TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding." + } } }, "V-72303": { + "describe__deleted": " describe sshd_config do\n its('X11Forwarding') { should cmp 'yes' }\n end", "tags": { - "check_id": "C-72537r5_chk", - "severity": "high", - "gid": "V-72303", - "rid": "SV-86927r4_rule", - "stig_id": "RHEL-07-040710", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78657r6_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72537r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72303" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.", - "desc": "[\"Open X displays allow an attacker to capture keystrokes and execute commands remotely.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat remote X connections for interactive users are encrypted.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted." + }, + "desc": { + "__old": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", + "__new": "Open X displays allow an attacker to capture keystrokes and execute commands remotely." + }, "descs": { - "check": "Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n\nX11Forwarding yes\n\nIf the \"X11Forwarding\" keyword is set to \"no\" or is missing, this is a finding.", - "fix": "Configure SSH to encrypt connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding yes\n\nThe SSH service must be restarted for changes to take effect:\n\n# systemctl restart sshd" + "default__deleted": "Open X displays allow an attacker to capture keystrokes and execute\ncommands remotely.", + "rationale__deleted": "", + "check": { + "__old": "Verify remote X connections for interactive users are encrypted.\n\n Check that remote X connections are encrypted with the following command:\n\n # grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n\n X11Forwarding yes\n\n If the \"X11Forwarding\" keyword is set to \"no\" or is missing, this is a\nfinding.", + "__new": "Verify remote X connections for interactive users are encrypted.\n\nCheck that remote X connections are encrypted with the following command:\n\n# grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\"\n\nX11Forwarding yes\n\nIf the \"X11Forwarding\" keyword is set to \"no\" or is missing, this is a finding." + }, + "fix": { + "__old": "Configure SSH to encrypt connections for interactive users.\n\n Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the\n\"X11Forwarding\" keyword and set its value to \"yes\" (this file may be named\ndifferently or be in a different location if using a version of SSH that is\nprovided by a third-party vendor):\n\n X11Forwarding yes\n\n The SSH service must be restarted for changes to take effect:\n\n # systemctl restart sshd", + "__new": "Configure SSH to encrypt connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"yes\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding yes\n\nThe SSH service must be restarted for changes to take effect:\n\n# systemctl restart sshd" + } } }, "V-72305": { + "describe__deleted": " if package('tftp-server').installed?\n impact 0.5\n describe command('grep server_args /etc/xinetd.d/tftp') do\n its('stdout.strip') { should match %r{^\\s*server_args\\s+=\\s+(-s|--secure)\\s(\\/\\S+)$} }\n end\n else\n impact 0.0\n describe \"The TFTP package is not installed\" do\n skip \"If a TFTP server is not installed, this is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72539r3_chk", - "severity": "medium", - "gid": "V-72305", - "rid": "SV-86929r3_rule", - "stig_id": "RHEL-07-040720", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78659r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72539r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72305" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.", - "desc": "[\"Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP\ndaemon is configured to operate in secure mode.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode." + }, + "desc": { + "__old": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "__new": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the TFTP daemon is configured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# yum list installed tftp-server\ntftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the following command: \n\n# grep server_args /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding.", - "fix": "Configure the TFTP daemon to operate in secure mode by adding the following line to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\nserver_args = -s /var/lib/tftpboot" + "default__deleted": "Restricting TFTP to a specific directory prevents remote users from\ncopying, transferring, or overwriting system files.", + "rationale__deleted": "", + "check": { + "__old": "Verify the TFTP daemon is configured to operate in secure mode.\n\n Check to see if a TFTP server has been installed with the following\ncommands:\n\n # yum list installed tftp-server\n tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n\n If a TFTP server is not installed, this is Not Applicable.\n\n If a TFTP server is installed, check for the server arguments with the\nfollowing command:\n\n # grep server_args /etc/xinetd.d/tftp\n server_args = -s /var/lib/tftpboot\n\n If the \"server_args\" line does not have a \"-s\" option and a\nsubdirectory is not assigned, this is a finding.", + "__new": "Verify the TFTP daemon is configured to operate in secure mode.\n\nCheck to see if a TFTP server has been installed with the following commands:\n\n# yum list installed tftp-server\ntftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms\n\nIf a TFTP server is not installed, this is Not Applicable.\n\nIf a TFTP server is installed, check for the server arguments with the following command: \n\n# grep server_args /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding." + }, + "fix": { + "__old": "Configure the TFTP daemon to operate in secure mode by adding the following\nline to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\n server_args = -s /var/lib/tftpboot", + "__new": "Configure the TFTP daemon to operate in secure mode by adding the following line to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value):\n\nserver_args = -s /var/lib/tftpboot" + } } }, "V-72307": { + "describe__deleted": " x11_enabled = input('x11_enabled')\n\n describe package('xorg-x11-server-common') do\n it { should_not be_installed }\n end if !x11_enabled\n\n describe package('xorg-x11-server-common') do\n it { should be_installed }\n end if x11_enabled", "tags": { - "check_id": "C-72541r3_chk", - "severity": "medium", - "gid": "V-72307", - "rid": "SV-86931r4_rule", - "stig_id": "RHEL-07-040730", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78661r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72541r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72307" - ], - "title": "The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved.", - "desc": "[\"Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have an X\nWindows display manager installed unless approved.", + "__new": "The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved." + }, + "desc": { + "__old": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", + "__new": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented." + }, "descs": { - "check": "Verify that if the system has X Windows System installed, it is authorized.\n\nCheck for the X11 package with the following command:\n\n# rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of the X Windows System is an operational requirement.\n\nIf the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:\n\n# rpm -e xorg-x11-server-common" + "default__deleted": "Internet services that are not required for system or application\nprocesses must not be active to decrease the attack surface of the system. X\nWindows has a long history of security vulnerabilities and will not be used\nunless approved and documented.", + "rationale__deleted": "", + "check": { + "__old": "Verify that if the system has X Windows System installed, it is authorized.\n\n Check for the X11 package with the following command:\n\n # rpm -qa | grep xorg | grep server\n\n Ask the System Administrator if use of the X Windows System is an\noperational requirement.\n\n If the use of X Windows on the system is not documented with the\nInformation System Security Officer (ISSO), this is a finding.", + "__new": "Verify that if the system has X Windows System installed, it is authorized.\n\nCheck for the X11 package with the following command:\n\n# rpm -qa | grep xorg | grep server\n\nAsk the System Administrator if use of the X Windows System is an operational requirement.\n\nIf the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding." + }, + "fix": { + "__old": "Document the requirement for an X Windows server with the ISSO or remove\nthe related packages with the following commands:\n\n # rpm -e xorg-x11-server-common", + "__new": "Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:\n\n# rpm -e xorg-x11-server-common" + } } }, "V-72309": { + "describe__deleted": " describe kernel_parameter('net.ipv4.ip_forward') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-72543r2_chk", - "severity": "medium", - "gid": "V-72309", - "rid": "SV-86933r2_rule", - "stig_id": "RHEL-07-040740", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78663r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72543r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72309" - ], - "title": "The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.", - "desc": "[\"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not be performing\npacket forwarding unless the system is a router.", + "__new": "The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router." + }, + "desc": { + "__old": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", + "__new": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network." + }, "descs": { - "check": "Verify the system is not performing packet forwarding, unless the system is a router.\n\n# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.ip_forward = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "Routing protocol daemons are typically used on routers to exchange\nnetwork topology information with other routers. If this software is used when\nnot required, system network information may be unnecessarily transmitted\nacross the network.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system is not performing packet forwarding, unless the system is\na router.\n\n # grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*\n\n net.ipv4.ip_forward = 0\n\n If \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file\nor in the /etc/sysctl.d/ directory, is commented out, or does not have a value\nof \"0\", this is a finding.\n\n Check that the operating system does not implement IP forwarding using the\nfollowing command:\n\n # /sbin/sysctl -a | grep net.ipv4.ip_forward\n net.ipv4.ip_forward = 0\n\n If IP forwarding value is \"1\" and the system is hosting any application,\ndatabase, or web servers, this is a finding.", + "__new": "Verify the system is not performing packet forwarding, unless the system is a router.\n\n# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv4.ip_forward = 0\n\nIf \"net.ipv4.ip_forward\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system does not implement IP forwarding using the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.ip_forward\nnet.ipv4.ip_forward = 0\n\nIf IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.ip_forward = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.ip_forward = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-72311": { + "describe__deleted": " nfs_systems = etc_fstab.nfs_file_systems.entries\n if !nfs_systems.nil? and !nfs_systems.empty?\n nfs_systems.each do |file_system|\n describe file_system do\n its ('mount_options') { should include 'sec=krb5:krb5i:krb5p' }\n end\n end\n else\n describe \"No NFS file systems were found.\" do\n subject { nfs_systems.nil? or nfs_systems.empty? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-72545r2_chk", - "severity": "medium", - "gid": "V-72311", - "rid": "SV-86935r4_rule", - "stig_id": "RHEL-07-040750", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78665r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72545r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72311" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.", - "desc": "[\"When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the Network File System (NFS) is configured to use RPCSEC_GSS.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." + }, + "desc": { + "__old": "When an NFS server is configured to use RPCSEC_SYS, a selected userid\nand groupid are used to handle requests from the remote user. The userid and\ngroupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS\nmethod of authentication uses certificates on the server and client systems to\nmore securely authenticate the remote mount request.", + "__new": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request." + }, "descs": { - "check": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n\nTo check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a file system type of \"nfs\" with the following command:\n\n# cat /etc/fstab | grep nfs\n192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n\nIf the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.", - "fix": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the \"sec\" option does not have the \"sys\" setting. \n\nEnsure the \"sec\" option is defined as \"krb5:krb5i:krb5p\"." + "default__deleted": "When an NFS server is configured to use RPCSEC_SYS, a selected userid\nand groupid are used to handle requests from the remote user. The userid and\ngroupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS\nmethod of authentication uses certificates on the server and client systems to\nmore securely authenticate the remote mount request.", + "rationale__deleted": "", + "check": { + "__old": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n\n To check if the system is importing an NFS file system, look for any\nentries in the \"/etc/fstab\" file that have a file system type of \"nfs\" with\nthe following command:\n\n # cat /etc/fstab | grep nfs\n 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n\n If the system is mounting file systems via NFS and has the sec option\nwithout the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\"\nsetting, or the \"sec\" option is missing, this is a finding.", + "__new": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts.\n\nTo check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a file system type of \"nfs\" with the following command:\n\n# cat /etc/fstab | grep nfs\n192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p\n\nIf the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding." + }, + "fix": { + "__old": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each\nNFS mounted file system and the \"sec\" option does not have the \"sys\"\nsetting.\n\n Ensure the \"sec\" option is defined as \"krb5:krb5i:krb5p\".", + "__new": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the \"sec\" option does not have the \"sys\" setting. \n\nEnsure the \"sec\" option is defined as \"krb5:krb5i:krb5p\"." + } } }, "V-72313": { + "describe__deleted": " if file('/etc/snmp/snmpd.conf').exist?\n impact 0.7\n processed = []\n to_process = ['/etc/snmp/snmpd.conf']\n\n while !to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n processed.push in_process\n\n if file(in_process).directory?\n to_process.concat(\n command(\"find #{in_process} -maxdepth 1 -mindepth 1 -name '*.conf'\").\n stdout.strip.split(\"\\n\").\n select { |f| file(f).file? }\n )\n elsif file(in_process).file?\n to_process.concat(\n command(\"grep -E '^\\\\s*includeFile\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeFile[[:space:]]*//g'\").\n stdout.strip.split(%r{\\n+}).\n map { |f| f.start_with?('/') ? f : File.join(File.dirname(in_process), f) }.\n select { |f| file(f).file? }\n )\n to_process.concat(\n command(\"grep -E '^\\\\s*includeDir\\\\s+' #{in_process} | sed 's/^[[:space:]]*includeDir[[:space:]]*//g'\").\n stdout.strip.split(%r{\\n+}).\n map { |f| f.start_with?('/') ? f : File.join('/', f) }. # relative dirs are treated as absolute\n select { |f| file(f).directory? }\n )\n end\n end\n\n config_files = processed.select { |f| file(f).file? }\n\n config_files.each do |config|\n describe file(config) do\n its('content') { should_not match %r{^[^#]*(public|private)} }\n end\n end\n else\n impact 0.0\n describe \"The `snmpd.conf` does not exist\" do\n skip \"The snmpd.conf file does not exist, this control is Not Applicable\"\n end\n end", "tags": { - "check_id": "C-72547r1_chk", - "severity": "high", - "gid": "V-72313", - "rid": "SV-86937r2_rule", - "stig_id": "RHEL-07-040800", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78667r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72547r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72313" - ], - "title": "SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.", - "desc": "[\"Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false\"]", - "impact": 0.7, + "title": { + "__old": "SNMP community strings on the Red Hat Enterprise Linux operating\nsystem must be changed from the default.", + "__new": "SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." + }, + "desc": { + "__old": "Whether active or not, default Simple Network Management Protocol\n(SNMP) community strings must be changed to maintain security. If the service\nis running with the default authenticators, anyone can gather data about the\nsystem and the network and use the information to potentially compromise the\nintegrity of the system or network(s). It is highly recommended that SNMP\nversion 3 user authentication and message encryption be used in place of the\nversion 2 community strings.", + "__new": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "Verify that a system using SNMP is not using default community strings.\n\nCheck to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n\n# ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n\nIf the file does not exist, this is Not Applicable.\n\nIf the file does exist, check for the default community strings with the following commands:\n\n# grep public /etc/snmp/snmpd.conf\n# grep private /etc/snmp/snmpd.conf\n\nIf either of these commands returns any output, this is a finding.", - "fix": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of \"public\" or \"private\" to another string value." + "default__deleted": "Whether active or not, default Simple Network Management Protocol\n(SNMP) community strings must be changed to maintain security. If the service\nis running with the default authenticators, anyone can gather data about the\nsystem and the network and use the information to potentially compromise the\nintegrity of the system or network(s). It is highly recommended that SNMP\nversion 3 user authentication and message encryption be used in place of the\nversion 2 community strings.", + "rationale__deleted": "", + "check": { + "__old": "Verify that a system using SNMP is not using default community strings.\n\n Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following\ncommand:\n\n # ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n\n If the file does not exist, this is Not Applicable.\n\n If the file does exist, check for the default community strings with the\nfollowing commands:\n\n # grep public /etc/snmp/snmpd.conf\n # grep private /etc/snmp/snmpd.conf\n\n If either of these commands returns any output, this is a finding.", + "__new": "Verify that a system using SNMP is not using default community strings.\n\nCheck to see if the \"/etc/snmp/snmpd.conf\" file exists with the following command:\n\n# ls -al /etc/snmp/snmpd.conf\n -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf\n\nIf the file does not exist, this is Not Applicable.\n\nIf the file does exist, check for the default community strings with the following commands:\n\n# grep public /etc/snmp/snmpd.conf\n# grep private /etc/snmp/snmpd.conf\n\nIf either of these commands returns any output, this is a finding." + }, + "fix": { + "__old": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines\nthat contain a community string value of \"public\" or \"private\" to another\nstring value.", + "__new": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of \"public\" or \"private\" to another string value." + } } }, "V-72315": { + "describe__deleted": " firewalld_services = input('firewalld_services')\n firewalld_hosts_allow = input('firewalld_hosts_allow')\n firewalld_hosts_deny = input('firewalld_hosts_deny')\n firewalld_ports_allow = input('firewalld_ports_allow')\n firewalld_ports_deny = input('firewalld_ports_deny')\n tcpwrappers_allow = input('tcpwrappers_allow')\n tcpwrappers_deny = input('tcpwrappers_deny')\n iptable_rules = input('iptables_rules')\n\n if service('firewalld').running?\n @default_zone = firewalld.default_zone\n\n describe firewalld.where{ zone = @default_zone } do\n its('services') { should be_in firewalld_services }\n end\n\n describe firewalld do\n firewalld_hosts_allow.each do |rule|\n it { should have_rule_enabled(rule) }\n end\n firewalld_hosts_deny.each do |rule|\n it { should_not have_rule_enabled(rule) }\n end\n firewalld_ports_allow.each do |port|\n it { should have_port_enabled_in_zone(port) }\n end\n firewalld_ports_deny.each do |port|\n it { should_not have_port_enabled_in_zone(port) }\n end\n end\n elsif service('iptables').running?\n describe iptables do\n iptable_rules.each do |rule|\n it { should have_rule(rule) }\n end\n end\n else\n describe package('tcp_wrappers') do\n it { should be_installed }\n end\n tcpwrappers_allow.each do |rule|\n describe etc_hosts_allow.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n tcpwrappers_deny.each do |rule|\n describe etc_hosts_deny.where { daemon == rule['daemon'] } do\n its('client_list') { should be rule['client_list'] }\n its('options') { should be rule['options'] }\n end\n end\n end", "tags": { - "check_id": "C-72549r3_chk", - "severity": "medium", - "gid": "V-72315", - "rid": "SV-86939r3_rule", - "stig_id": "RHEL-07-040810", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78669r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72549r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72315" - ], - "title": "The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.", - "desc": "[\"If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system access control program\nmust be configured to grant or deny system access to specific hosts and\nservices.", + "__new": "The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." + }, + "desc": { + "__old": "If the systems access control program is not configured with\nappropriate rules for allowing and denying access to system network resources,\nservices may be accessible to unauthorized hosts.", + "__new": "If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts." + }, "descs": { - "check": "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. \n\nVerify the system's access control program is configured to grant or deny system access to specific hosts.\n\nCheck to see if \"firewalld\" is active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\nActive: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n\nIf \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:\n\n# firewall-cmd --get-default-zone\npublic\n\n# firewall-cmd --list-all --zone=public\npublic (active)\ntarget: default\nicmp-block-inversion: no\ninterfaces: eth0\nsources:\nservices: mdns ssh\nports:\nprotocols:\nmasquerade: no\nforward-ports:\nicmp-blocks:\n\nIf \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\" and \"hosts.deny\" files are empty with the following commands:\n\n# ls -al /etc/hosts.allow\nrw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n\n# ls -al /etc/hosts.deny\n-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n\nIf \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.\n\nIf \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured to grant or deny access to specific hosts, this is a finding.", - "fix": "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services and hosts. \n\nIf \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to allow or deny access to specific hosts." + "default__deleted": "If the systems access control program is not configured with\nappropriate rules for allowing and denying access to system network resources,\nservices may be accessible to unauthorized hosts.", + "rationale__deleted": "", + "check": { + "__old": "If the \"firewalld\" package is not installed, ask the System Administrator\n(SA) if another firewall application (such as iptables) is installed. If an\napplication firewall is not installed, this is a finding.\n\n Verify the system's access control program is configured to grant or deny\nsystem access to specific hosts.\n\n Check to see if \"firewalld\" is active with the following command:\n\n # systemctl status firewalld\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\n Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n\n If \"firewalld\" is active, check to see if it is configured to grant or\ndeny access to specific hosts or services with the following commands:\n\n # firewall-cmd --get-default-zone\n public\n\n # firewall-cmd --list-all --zone=public\n public (active)\n target: default\n icmp-block-inversion: no\n interfaces: eth0\n sources:\n services: mdns ssh\n ports:\n protocols:\n masquerade: no\n forward-ports:\n icmp-blocks:\n\n If \"firewalld\" is not active, determine whether \"tcpwrappers\" is being\nused by checking whether the \"hosts.allow\" and \"hosts.deny\" files are empty\nwith the following commands:\n\n # ls -al /etc/hosts.allow\n rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n\n # ls -al /etc/hosts.deny\n -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n\n If \"firewalld\" and \"tcpwrappers\" are not installed, configured, and\nactive, ask the SA if another access control program (such as iptables) is\ninstalled and active. Ask the SA to show that the running configuration grants\nor denies access to specific hosts or services.\n\n If \"firewalld\" is active and is not configured to grant access to\nspecific hosts or \"tcpwrappers\" is not configured to grant or deny access to\nspecific hosts, this is a finding.", + "__new": "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. \n\nVerify the system's access control program is configured to grant or deny system access to specific hosts.\n\nCheck to see if \"firewalld\" is active with the following command:\n\n# systemctl status firewalld\nfirewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)\nActive: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago\n\nIf \"firewalld\" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:\n\n# firewall-cmd --get-default-zone\npublic\n\n# firewall-cmd --list-all --zone=public\npublic (active)\ntarget: default\nicmp-block-inversion: no\ninterfaces: eth0\nsources:\nservices: mdns ssh\nports:\nprotocols:\nmasquerade: no\nforward-ports:\nicmp-blocks:\n\nIf \"firewalld\" is not active, determine whether \"tcpwrappers\" is being used by checking whether the \"hosts.allow\" and \"hosts.deny\" files are empty with the following commands:\n\n# ls -al /etc/hosts.allow\nrw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow\n\n# ls -al /etc/hosts.deny\n-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny\n\nIf \"firewalld\" and \"tcpwrappers\" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.\n\nIf \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured to grant or deny access to specific hosts, this is a finding." + }, + "fix": { + "__old": "If \"firewalld\" is installed and active on the system, configure rules for\nallowing specific services and hosts.\n\n If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring\n\"/etc/hosts.allow\" and \"/etc/hosts.deny\" to allow or deny access to\nspecific hosts.", + "__new": "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services and hosts. \n\nIf \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring \"/etc/hosts.allow\" and \"/etc/hosts.deny\" to allow or deny access to specific hosts." + } } }, "V-72317": { + "describe__deleted": " approved_tunnels = input('approved_tunnels')\n\n if package('libreswan').installed? && service('ipsec.service').running?\n impact 0.5\n processed = []\n to_process = ['/etc/ipsec.conf']\n\n while !to_process.empty?\n in_process = to_process.pop\n next if processed.include? in_process\n processed.push in_process\n\n to_process.concat(\n command(\"grep -E '^\\\\s*include\\\\s+' #{in_process} | sed 's/^[[:space:]]*include[[:space:]]*//g'\").\n stdout.strip.split(%r{\\s*\\n+\\s*}).\n map { |f| f.start_with?('/') ? f : File.join(File.dirname(in_process), f) }.\n map { |f|\n dir = f.sub(%r{[^/]*[\\*\\?\\[].*$}, '') # gets the longest ancestor path which doesn't contain wildcards\n command(\"find #{dir} -wholename '#{f}'\").stdout.strip.split(\"\\n\")\n }.\n flatten.\n select { |f| file(f).file? }\n )\n end\n\n conn_grep = processed.map do |conf|\n command(\"grep -E '^\\\\s*conn\\\\s+' #{conf}\").\n stdout.strip.split(%r{\\s*\\n\\s*})\n end.flatten\n\n describe conn_grep do\n it { should all(be_in approved_tunnels) }\n end\n else\n impact 0.0\n describe \"The system does not have libreswan installed or the ipsec.service isn't running\" do\n skip \"The system does not have libreswan installed or the ipsec.service isn't running, this requirement is Not Applicable.\"\n end\n end", "tags": { - "check_id": "C-72551r2_chk", - "severity": "medium", - "gid": "V-72317", - "rid": "SV-86941r2_rule", - "stig_id": "RHEL-07-040820", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78671r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72551r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72317" - ], - "title": "The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.", - "desc": "[\"IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not have\nunauthorized IP tunnels configured.", + "__new": "The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured." + }, + "desc": { + "__old": "IP tunneling mechanisms can be used to bypass network filtering. If\ntunneling is required, it must be documented with the Information System\nSecurity Officer (ISSO).", + "__new": "IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO)." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the system does not have unauthorized IP tunnels configured.\n\nCheck to see if \"libreswan\" is installed with the following command:\n\n# yum list installed libreswan\nlibreswan.x86-64 3.20-5.el7_4\n\nIf \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n\n# systemctl status ipsec\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\nLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\nActive: inactive (dead)\n\nIf the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and \"/etc/ipsec.d/\" with the following commands:\n\n# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n\nIf there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. \n\nIf \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding.", - "fix": "Remove all unapproved tunnels from the system, or document them with the ISSO." + "default__deleted": "IP tunneling mechanisms can be used to bypass network filtering. If\ntunneling is required, it must be documented with the Information System\nSecurity Officer (ISSO).", + "rationale__deleted": "", + "check": { + "__old": "Verify the system does not have unauthorized IP tunnels configured.\n\n Check to see if \"libreswan\" is installed with the following command:\n\n # yum list installed libreswan\n libreswan.x86-64 3.20-5.el7_4\n\n If \"libreswan\" is installed, check to see if the \"IPsec\" service is\nactive with the following command:\n\n # systemctl status ipsec\n ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\n Active: inactive (dead)\n\n If the \"IPsec\" service is active, check to see if any tunnels are\nconfigured in \"/etc/ipsec.conf\" and \"/etc/ipsec.d/\" with the following\ncommands:\n\n # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n\n If there are indications that a \"conn\" parameter is configured for a\ntunnel, ask the System Administrator if the tunnel is documented with the ISSO.\n\n If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented\ntunnel is active, this is a finding.", + "__new": "Verify the system does not have unauthorized IP tunnels configured.\n\nCheck to see if \"libreswan\" is installed with the following command:\n\n# yum list installed libreswan\nlibreswan.x86-64 3.20-5.el7_4\n\nIf \"libreswan\" is installed, check to see if the \"IPsec\" service is active with the following command:\n\n# systemctl status ipsec\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\nLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\nActive: inactive (dead)\n\nIf the \"IPsec\" service is active, check to see if any tunnels are configured in \"/etc/ipsec.conf\" and \"/etc/ipsec.d/\" with the following commands:\n\n# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf\n\nIf there are indications that a \"conn\" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. \n\nIf \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding." + }, + "fix": { + "__old": "Remove all unapproved tunnels from the system, or document them\nwith the ISSO.", + "__new": "Remove all unapproved tunnels from the system, or document them with the ISSO." + } } }, "V-72319": { + "describe__deleted": " describe.one do\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq 0 }\n end\n\t# If IPv6 is disabled in the kernel it will return NIL\n describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do\n its('value') { should eq nil }\n end\n end", "tags": { - "check_id": "C-72553r2_chk", - "severity": "medium", - "gid": "V-72319", - "rid": "SV-86943r2_rule", - "stig_id": "RHEL-07-040830", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-78673r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-72553r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72319" - ], - "title": "The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must not forward IPv6\nsource-routed packets.", + "__new": "The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets." + }, + "desc": { + "__old": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv6\nforwarding is enabled and the system is functioning as a router.", + "__new": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router." + }, "descs": { - "check": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding.", - "fix": "Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "Source-routed packets allow the source of the packet to suggest that\nrouters forward the packet along a different path than configured on the\nrouter, which can be used to bypass network security measures. This requirement\napplies only to the forwarding of source-routed traffic, such as when IPv6\nforwarding is enabled and the system is functioning as a router.", + "rationale__deleted": "", + "check": { + "__old": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\n Verify the system does not accept IPv6 source-routed packets.\n\n # grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf\n/etc/sysctl.d/*\n\n net.ipv6.conf.all.accept_source_route = 0\n\n If \"net.ipv6.conf.all.accept_source_route\" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the accept source route variable\nwith the following command:\n\n # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\n net.ipv6.conf.all.accept_source_route = 0\n\n If the returned lines do not have a value of \"0\", this is a finding.", + "__new": "If IPv6 is not enabled, the key will not exist, and this is Not Applicable.\n\nVerify the system does not accept IPv6 source-routed packets.\n\n# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter, if IPv6 is enabled, by\nadding the following line to \"/etc/sysctl.conf\" or a configuration file in\nthe /etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv6.conf.all.accept_source_route = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-72417": { + "describe__deleted": " mfa_pkg_list = input('mfa_pkg_list')\n smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('disabled')\n impact 0.0\n describe \"The system is not smartcard enabled thus this control is Not Applicable\" do\n skip \"The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.\"\n end \n elsif mfa_pkg_list.empty?\n describe \"The required Smartcard packages have not beed defined, plese define them in your `inputs`.\" do\n subject { mfa_pkg_list }\n it { should_not be_empty }\n end\n else\n mfa_pkg_list.each do |pkg|\n describe \"The package\" do\n subject { package(\"#{pkg}\") }\n it { should be_installed }\n end\n end\n end", "tags": { - "check_id": "C-72617r5_chk", - "severity": "medium", - "gid": "V-72417", - "rid": "SV-87041r5_rule", - "stig_id": "RHEL-07-041001", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78769r5_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-72617r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + }, + "rid": { + "__old": "SV-87041r4_rule", + "__new": "SV-87041r5_rule" + }, + "fix_id": { + "__old": "F-78769r4_fix", + "__new": "F-78769r5_fix" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72417" - ], - "title": "The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must have the required\n packages for multifactor authentication installed.", + "__new": "The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." + }, + "desc": { + "__old": "Using an authentication device, such as a CAC or token that is\n separate from the information system, ensures that even if the information\n system is compromised, that compromise will not affect credentials stored on\n the authentication device.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification card and the DoD Common Access\n Card.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "__new": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\n" + }, "descs": { - "check": "Verify the operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n# yum list installed pam_pkcs11\npam_pkcs11-0.6.2-14.el7.noarch.rpm\n\n\nIf the \"pam_pkcs11\" package is not installed, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11" + "default__deleted": "Using an authentication device, such as a CAC or token that is\n separate from the information system, ensures that even if the information\n system is compromised, that compromise will not affect credentials stored on\n the authentication device.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification card and the DoD Common Access\n Card.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "check": { + "__old": "Verify the operating system has the packages required for multifactor\nauthentication installed.\n\nCheck for the presence of the packages required to support multifactor\nauthentication with the following commands:\n\n# yum list installed esc\nesc-1.1.0-26.el7.noarch.rpm\n\n# yum list installed pam_pkcs11\npam_pkcs11-0.6.2-14.el7.noarch.rpm\n\nIf the \"esc\" and \"pam_pkcs11\" packages are not installed, this is a\nfinding.", + "__new": "Verify the operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n# yum list installed pam_pkcs11\npam_pkcs11-0.6.2-14.el7.noarch.rpm\n\n\nIf the \"pam_pkcs11\" package is not installed, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"esc\" and \"pam_pkcs11\" packages on the system with the\nfollowing command:\n\n# yum install esc pam_pkcs11", + "__new": "Configure the operating system to implement multifactor authentication by installing the required packages.\n\nInstall the pam_pkcs11 package with the following command:\n\n# yum install pam_pkcs11" + } } }, "V-72427": { + "describe__deleted": " unless package('sssd').installed?\n impact 0.0\n describe \"The SSSD Package is not installed on the system\" do\n skip \"This control is Not Appliciable without the SSSD Package installed.\"\n end\n else\n if (!(sssd_files = command(\"find /etc/sssd -name *.conf\").stdout.split(\"\\n\")).empty?)\n sssd_files.each do |file|\n describe.one do\n describe parse_config_file(file) do\n its('services') { should include 'pam' }\n end if package('sssd').installed?\n describe command(\"grep -i -E 'services(\\s)*=(\\s)*(.+*)pam' #{file}\") do\n its('stdout.strip') { should include 'pam' }\n end if package('sssd').installed?\n end if package('sssd').installed?\n end\n else\n describe \"The set of SSSD configuration files\" do\n subject { sssd_files.to_a }\n it { should_not be_empty }\n end\n end\n end", "tags": { - "check_id": "C-72627r4_chk", - "severity": "medium", - "gid": "V-72427", - "rid": "SV-87051r4_rule", - "stig_id": "RHEL-07-041002", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78779r3_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-72627r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72427" - ], - "title": "The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement\n multifactor authentication for access to privileged accounts via pluggable\n authentication modules (PAM).", + "__new": "The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." + }, + "desc": { + "__old": "Using an authentication device, such as a CAC or token that is\n separate from the information system, ensures that even if the information\n system is compromised, that compromise will not affect credentials stored on\n the authentication device.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification card and the DoD Common Access\n Card.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "__new": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nCheck the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n\n# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n\nservices = nss, pam\n\nIf the \"pam\" service is not present on all \"services\" lines, this is a finding.", - "fix": "Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nModify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\" to include pam." + "default__deleted": "Using an authentication device, such as a CAC or token that is\n separate from the information system, ensures that even if the information\n system is compromised, that compromise will not affect credentials stored on\n the authentication device.\n\n Multifactor solutions that require devices separate from information\n systems gaining access include, for example, hardware tokens providing\n time-based or challenge-response authenticators and smart cards such as the\n U.S. Government Personal Identity Verification card and the DoD Common Access\n Card.\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\n authorized user (or an information system) communicating through an external,\n non-organization-controlled network. Remote access methods include, for\n example, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\n function of the device or has the concept of an organizational user (e.g., VPN,\n proxy capability). This does not apply to authentication for the purpose of\n configuring the device itself (management).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system implements multifactor authentication for\nremote access to privileged accounts via pluggable authentication modules (PAM).\n\n Check the \"/etc/sssd/sssd.conf\" file for the authentication services that\nare being used with the following command:\n\n # grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n\n services = nss, pam\n\n If the \"pam\" service is not present on all \"services\" lines, this is a\nfinding.", + "__new": "Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nCheck the \"/etc/sssd/sssd.conf\" file for the authentication services that are being used with the following command:\n\n# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf\n\nservices = nss, pam\n\nIf the \"pam\" service is not present on all \"services\" lines, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement multifactor authentication for\nremote access to privileged accounts via pluggable authentication modules (PAM).\n\n Modify all of the services lines in \"/etc/sssd/sssd.conf\" or in\nconfiguration files found under \"/etc/sssd/conf.d\" to include pam.", + "__new": "Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).\n\nModify all of the services lines in \"/etc/sssd/sssd.conf\" or in configuration files found under \"/etc/sssd/conf.d\" to include pam." + } } }, "V-72433": { + "describe__deleted": " smart_card_status = input('smart_card_status')\n\n if smart_card_status.eql?('enabled')\n impact 0.5\n if (pam_file = file('/etc/pam_pkcs11/pam_pkcs11.conf')).exist?\n cert_policy_lines = pam_file.content.nil? ? [] :\n pam_file.content.lines.grep(/^(?!.+#).*cert_policy/i)\n if cert_policy_lines.length < 3\n describe 'should contain at least 3 cert policy lines' do\n subject { cert_policy_lines.length }\n it { should >= 3 }\n end\n else\n describe 'each cert policy line should include oscp_on' do\n cert_policy_lines.each do |line|\n subject { line }\n it { should match %r{=[^;]*ocsp_on}i }\n end\n end\n end\n else\n describe pam_file do\n it { should exist }\n end\n end\n else\n impact 0.0\n describe 'The system is not smartcard enabled' do\n skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'\n end\n end", "tags": { - "check_id": "C-72633r6_chk", - "severity": "medium", - "gid": "V-72433", - "rid": "SV-87057r5_rule", - "stig_id": "RHEL-07-041003", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-78785r3_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-72633r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-72433" - ], - "title": "The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.", - "desc": "[\"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nA privileged account is defined as an information system account with authorizations of a privileged user.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\\n\\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement\ncertificate status checking for PKI authentication.", + "__new": "The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication." + }, + "desc": { + "__old": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).", + "__new": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\n" + }, "descs": { - "check": "Verify the operating system implements certificate status checking for PKI authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:\n\n# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\n\nThere should be at least three lines returned. \n\nIf \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.", - "fix": "Configure the operating system to do certificate status checking for PKI authentication.\n\nModify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." + "default__deleted": "Using an authentication device, such as a CAC or token that is\nseparate from the information system, ensures that even if the information\nsystem is compromised, that compromise will not affect credentials stored on\nthe authentication device.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.\n\n A privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\n Remote access is access to DoD nonpublic information systems by an\nauthorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\n This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g., VPN,\nproxy capability). This does not apply to authentication for the purpose of\nconfiguring the device itself (management).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system implements certificate status checking for PKI\nauthentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled on the\nsystem with the following command:\n\n # grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n cert_policy = ca, ocsp_on, signature;\n\n There should be at least three lines returned.\n\n If \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding.", + "__new": "Verify the operating system implements certificate status checking for PKI authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:\n\n# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v \"^#\"\n\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\ncert_policy = ca, ocsp_on, signature;\n\nThere should be at least three lines returned. \n\nIf \"ocsp_on\" is not present in all uncommented \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to do certificate status checking for PKI\nauthentication.\n\n Modify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\".", + "__new": "Configure the operating system to do certificate status checking for PKI authentication.\n\nModify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." + } } }, "V-73155": { + "describe__deleted": " unless package('gnome-desktop3').installed?\n impact 0.0\n describe \"The GNOME desktop is not installed\" do\n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end\n else\n describe command(\"gsettings writable org.gnome.desktop.screensaver lock-delay\") do\n its('stdout.strip') { should cmp 'false' }\n end\n end\n end", "tags": { - "check_id": "C-73279r4_chk", - "severity": "medium", - "gid": "V-73155", - "rid": "SV-87807r4_rule", - "stig_id": "RHEL-07-010081", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-79601r2_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-73279r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73155" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent a user from\n overriding the screensaver lock-delay setting for the graphical user interface.", + "__new": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface." + }, + "desc": { + "__old": "A session time-out lock is a temporary action taken when a user stops\n work and moves away from the immediate physical vicinity of the information\n system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session\n prior to vacating the vicinity, operating systems need to be able to identify\n when a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\n determined and/or controlled.", + "__new": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock delay:\n\n/org/gnome/desktop/screensaver/lock-delay" + "default__deleted": "A session time-out lock is a temporary action taken when a user stops\n work and moves away from the immediate physical vicinity of the information\n system but does not log out because of the temporary nature of the absence.\n Rather than relying on the user to manually lock their operating system session\n prior to vacating the vicinity, operating systems need to be able to identify\n when a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\n determined and/or controlled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents a user from overriding a screensaver\nlock after a 15-minute period of inactivity for graphical user interfaces.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable. The screen program must be installed to lock sessions on the\nconsole.\n\n Determine which profile the system database is using with the following\ncommand:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check for the lock delay setting with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n # grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-delay\n\n If the command does not return a result, this is a finding.", + "__new": "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return a result, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent a user from overriding a\nscreensaver lock after a 15-minute period of inactivity for graphical user\ninterfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n # touch /etc/dconf/db/local.d/locks/session\n\n Add the setting to lock the screensaver lock delay:\n\n /org/gnome/desktop/screensaver/lock-delay", + "__new": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock delay:\n\n/org/gnome/desktop/screensaver/lock-delay" + } } }, "V-73157": { + "describe__deleted": " unless package('gnome-desktop3').installed?\n impact 0.0\n describe \"The GNOME desktop is not installed\" do\n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end\n else\n describe command(\"gsettings writable org.gnome.desktop.session idle-delay\") do\n its('stdout.strip') { should cmp 'false' }\n end\n end", "tags": { - "check_id": "C-73281r3_chk", - "severity": "medium", - "gid": "V-73157", - "rid": "SV-87809r4_rule", - "stig_id": "RHEL-07-010082", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-79603r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-73281r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73157" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent a user from\noverriding the session idle-delay setting for the graphical user interface.", + "__new": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface." + }, + "desc": { + "__old": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "__new": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. \n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the session idle delay:\n\n/org/gnome/desktop/session/idle-delay" + "default__deleted": "A session time-out lock is a temporary action taken when a user stops\nwork and moves away from the immediate physical vicinity of the information\nsystem but does not log out because of the temporary nature of the absence.\nRather than relying on the user to manually lock their operating system session\nprior to vacating the vicinity, operating systems need to be able to identify\nwhen a user's session has idled and take action to initiate the session lock.\n\n The session lock is implemented at the point where session activity can be\ndetermined and/or controlled.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents a user from overriding session idle\ndelay after a 15-minute period of inactivity for graphical user interfaces.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable. The screen program must be installed to lock sessions on the\nconsole.\n\n Determine which profile the system database is using with the following\ncommand:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check for the session idle delay setting with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n # grep -i idle-delay /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/session/idle-delay\n\n If the command does not return a result, this is a finding.", + "__new": "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. \n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the session idle delay setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return a result, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent a user from overriding a session\nlock after a 15-minute period of inactivity for graphical user interfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in /etc/dconf/profile/user, the file\nshould be created under the appropriate subdirectory.\n\n # touch /etc/dconf/db/local.d/locks/session\n\n Add the setting to lock the session idle delay:\n\n /org/gnome/desktop/session/idle-delay", + "__new": "Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the session idle delay:\n\n/org/gnome/desktop/session/idle-delay" + } } }, "V-73159": { + "describe__deleted": " max_retry = input('max_retry')\n\n describe pam('/etc/pam.d/passwd') do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '>=', 1) }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '<=', max_retry) }\n end", "tags": { - "check_id": "C-73283r6_chk", - "severity": "medium", - "gid": "V-73159", - "rid": "SV-87811r4_rule", - "stig_id": "RHEL-07-010119", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-79605r5_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-73283r6_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73159" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.", - "desc": "[\"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat when passwords are changed or new passwords are established, pwquality\nmust be used.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used." + }, + "desc": { + "__old": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the system.", + "__new": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system." + }, "descs": { - "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules. \n\nCheck for the use of \"pwquality\" with the following command:\n\n# cat /etc/pam.d/system-auth | grep pam_pwquality\n\npassword required pam_pwquality.so retry=3\n\nIf the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\npassword required pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and \"3\"." + "default__deleted": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\n Check for the use of \"pwquality\" with the following command:\n\n # cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password required pam_pwquality.so retry=3\n\n If the command does not return an uncommented line containing the value\n\"pam_pwquality.so\", this is a finding.\n\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a\nfinding.", + "__new": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules. \n\nCheck for the use of \"pwquality\" with the following command:\n\n# cat /etc/pam.d/system-auth | grep pam_pwquality\n\npassword required pam_pwquality.so retry=3\n\nIf the command does not return an uncommented line containing the value \"pam_pwquality.so\", this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to use \"pwquality\" to enforce password\ncomplexity rules.\n\n Add the following line to \"/etc/pam.d/system-auth\" (or modify the line to\nhave the required value):\n\n password required pam_pwquality.so retry=3\n\n Note: The value of \"retry\" should be between \"1\" and \"3\".", + "__new": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\npassword required pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and \"3\"." + } } }, "V-73161": { + "describe__deleted": " nfs_systems = etc_fstab.nfs_file_systems.entries\n if !nfs_systems.nil? and !nfs_systems.empty?\n nfs_systems.each do |file_system|\n describe file_system do\n its ('mount_options') { should include 'noexec' }\n end\n end\n else\n describe \"No NFS file systems were found.\" do\n subject { nfs_systems.nil? or nfs_systems.empty? }\n it { should eq true }\n end\n end", "tags": { - "check_id": "C-73285r2_chk", - "severity": "medium", - "gid": "V-73161", - "rid": "SV-87813r2_rule", - "stig_id": "RHEL-07-021021", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-79607r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-73285r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73161" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).", - "desc": "[\"The \\\"noexec\\\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent binary\nfiles from being executed on file systems that are being imported via Network\nFile System (NFS).", + "__new": "The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." + }, + "desc": { + "__old": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "__new": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being imported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the NFS is mounted with the \"noexec\"option:\n\n# mount | grep nfs | grep noexec\nIf no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via NFS." + "default__deleted": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify file systems that are being NFS imported are configured with the\n\"noexec\" option.\n\n Find the file system(s) that contain the directories being imported with\nthe following command:\n\n # more /etc/fstab | grep nfs\n\n UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\n If a file system found in \"/etc/fstab\" refers to NFS and it does not have\nthe \"noexec\" option set, and use of NFS imported binaries is not documented\nwith the Information System Security Officer (ISSO) as an operational\nrequirement, this is a finding.\n\n Verify the NFS is mounted with the \"noexec\"option:\n\n # mount | grep nfs | grep noexec\n If no results are returned and use of NFS imported binaries is not\ndocumented with the Information System Security Officer (ISSO) as an\noperational requirement, this is a finding.", + "__new": "Verify file systems that are being NFS imported are configured with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being imported with the following command:\n\n# more /etc/fstab | grep nfs\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the NFS is mounted with the \"noexec\"option:\n\n# mount | grep nfs | grep noexec\nIf no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the \"/etc/fstab\" to use the \"noexec\" option on\nfile systems that are being imported via NFS.", + "__new": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being imported via NFS." + } } }, "V-73163": { + "describe__deleted": " describe parse_config_file('/etc/audisp/audisp-remote.conf') do\n its('network_failure_action'.to_s) { should be_in ['syslog', 'single', 'halt'] }\n end", "tags": { - "check_id": "C-73287r4_chk", - "severity": "medium", - "gid": "V-73163", - "rid": "SV-87815r3_rule", - "stig_id": "RHEL-07-030321", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-79609r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-73287r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73163" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.", - "desc": "[\"Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the audit system takes appropriate action when there is an error sending\naudit records to a remote system.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system." + }, + "desc": { + "__old": "Taking appropriate action when there is an error sending audit records\nto a remote system will minimize the possibility of losing audit records.", + "__new": "Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records." + }, "descs": { - "check": "Verify the action the operating system takes if there is an error sending audit records to a remote system.\n\nCheck the action that takes place if there is an error sending audit records to a remote system with the following command:\n\n# grep -i network_failure_action /etc/audisp/audisp-remote.conf\nnetwork_failure_action = syslog\n\nIf the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Configure the action the operating system takes if there is an error sending audit records to a remote system.\n\nUncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\".\n\nnetwork_failure_action = syslog" + "default__deleted": "Taking appropriate action when there is an error sending audit records\nto a remote system will minimize the possibility of losing audit records.", + "rationale__deleted": "", + "check": { + "__old": "Verify the action the operating system takes if there is an error sending\naudit records to a remote system.\n\n Check the action that takes place if there is an error sending audit\nrecords to a remote system with the following command:\n\n # grep -i network_failure_action /etc/audisp/audisp-remote.conf\n network_failure_action = syslog\n\n If the value of the \"network_failure_action\" option is not \"syslog\",\n\"single\", or \"halt\", or the line is commented out, this is a finding.", + "__new": "Verify the action the operating system takes if there is an error sending audit records to a remote system.\n\nCheck the action that takes place if there is an error sending audit records to a remote system with the following command:\n\n# grep -i network_failure_action /etc/audisp/audisp-remote.conf\nnetwork_failure_action = syslog\n\nIf the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the action the operating system takes if there is an error\nsending audit records to a remote system.\n\n Uncomment the \"network_failure_action\" option in\n\"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or\n\"halt\".\n\n network_failure_action = syslog", + "__new": "Configure the action the operating system takes if there is an error sending audit records to a remote system.\n\nUncomment the \"network_failure_action\" option in \"/etc/audisp/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\".\n\nnetwork_failure_action = syslog" + } } }, "V-73165": { + "describe__deleted": " audit_file = '/etc/group'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?\n", "tags": { - "check_id": "C-73289r4_chk", - "severity": "medium", - "gid": "V-73165", - "rid": "SV-87817r3_rule", - "stig_id": "RHEL-07-030871", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79611r3_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73289r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73165" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all account creations, modifications, disabling, and termination\nevents that affect /etc/group.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter)." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/group\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep /etc/group /etc/audit/audit.rules\n\n -w /etc/group -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "__new": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/group /etc/audit/audit.rules\n\n-w /etc/group -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/group\".\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/group -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/group -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-73167": { + "describe__deleted": " audit_file = '/etc/gshadow'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?\n", "tags": { - "check_id": "C-73291r4_chk", - "severity": "medium", - "gid": "V-73167", - "rid": "SV-87819r4_rule", - "stig_id": "RHEL-07-030872", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79613r3_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73291r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73167" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all account creations, modifications, disabling, and termination\nevents that affect /etc/gshadow.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter)." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/gshadow\".\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep /etc/gshadow /etc/audit/audit.rules\n\n -w /etc/gshadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "__new": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/gshadow /etc/audit/audit.rules\n\n-w /etc/gshadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n\"/etc/gshadow\".\n\n Add or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/gshadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/gshadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-73171": { + "describe__deleted": " audit_file = '/etc/shadow'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?\n", "tags": { - "check_id": "C-73295r4_chk", - "severity": "medium", - "gid": "V-73171", - "rid": "SV-87823r4_rule", - "stig_id": "RHEL-07-030873", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79617r4_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73295r4_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73171" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all account creations, modifications, disabling, and termination\nevents that affect /etc/shadow.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter)." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n/etc/shadow.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep /etc/shadow /etc/audit/audit.rules\n\n -w /etc/shadow -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "__new": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/shadow /etc/audit/audit.rules\n\n-w /etc/shadow -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n/etc/shadow.\n\n Add or update the following file system rule in\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/shadow -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/shadow -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-73173": { + "describe__deleted": " audit_file = '/etc/security/opasswd'\n\n if file(audit_file).exist?\n impact 0.5\n else\n impact 0.0\n end\n\n describe auditd.file(audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end if file(audit_file).exist?\n\n # Resource creates data structure including all usages of file\n perms = auditd.file(audit_file).permissions\n\n perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end if file(audit_file).exist?\n\n describe \"The #{audit_file} file does not exist\" do\n skip \"The #{audit_file} file does not exist, this requirement is Not Applicable.\"\n end if !file(audit_file).exist?", "tags": { - "check_id": "C-73297r5_chk", - "severity": "medium", - "gid": "V-73173", - "rid": "SV-87825r5_rule", - "stig_id": "RHEL-07-030874", - "gtitle": "SRG-OS-000004-GPOS-00004", - "fix_id": "F-79619r6_fix", - "cci": [ - "CCI-000018", - "CCI-000172", - "CCI-001403", - "CCI-002130" - ], - "nist": [ - "AC-2 (4)", - "AU-12 c", - "AC-2 (4)", - "AC-2 (4)" - ] + "check_id__added": "C-73297r5_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73173" - ], - "title": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must generate audit\nrecords for all account creations, modifications, disabling, and termination\nevents that affect /etc/opasswd.", + "__new": "The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter)." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", - "fix": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect:\n# systemctl restart auditd" + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n/etc/opasswd.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep /etc/security/opasswd /etc/audit/audit.rules\n\n -w /etc/security/opasswd -p wa -k identity\n\n If the command does not return a line, or the line is commented out, this\nis a finding.", + "__new": "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep /etc/security/opasswd /etc/audit/audit.rules\n\n-w /etc/security/opasswd -p wa -k identity\n\nIf the command does not return a line, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records for all account\ncreations, modifications, disabling, and termination events that affect\n/etc/opasswd.\n\n Add or update the following file system rule in\n\"/etc/audit/rules.d/audit.rules\":\n\n -w /etc/security/opasswd -p wa -k identity\n\n The audit daemon must be restarted for the changes to take effect:\n # systemctl restart auditd", + "__new": "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.\n\nAdd or update the following file system rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect:\n# systemctl restart auditd" + } } }, "V-73175": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do\n its('value') { should eq 0 }\n end", "tags": { - "check_id": "C-73299r3_chk", - "severity": "medium", - "gid": "V-73175", - "rid": "SV-87827r4_rule", - "stig_id": "RHEL-07-040641", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-79621r3_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-73299r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73175" - ], - "title": "The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must ignore Internet\nProtocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect\nmessages.", + "__new": "The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages." + }, + "desc": { + "__old": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages modify the\nhost's route table and are unauthenticated. An illicit ICMP redirect message\ncould result in a man-in-the-middle attack.", + "__new": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack." + }, "descs": { - "check": "Verify the system ignores IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.all.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding.", - "fix": "Set the system to ignore IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "ICMP redirect messages are used by routers to inform hosts that a more\ndirect route exists for a particular destination. These messages modify the\nhost's route table and are unauthenticated. An illicit ICMP redirect message\ncould result in a man-in-the-middle attack.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system ignores IPv4 ICMP redirect messages.\n\n # grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\n If \" net.ipv4.conf.all.accept_redirects \" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"0\", this is a finding.\n\n Check that the operating system implements the \"accept_redirects\"\nvariables with the following command:\n\n # /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'\n\n net.ipv4.conf.all.accept_redirects = 0\n\n If the returned line does not have a value of \"0\", this is a finding.", + "__new": "Verify the system ignores IPv4 ICMP redirect messages.\n\n# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*\n\nIf \" net.ipv4.conf.all.accept_redirects \" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"0\", this is a finding.\n\nCheck that the operating system implements the \"accept_redirects\" variables with the following command:\n\n# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", this is a finding." + }, + "fix": { + "__old": "Set the system to ignore IPv4 ICMP redirect messages by adding the\nfollowing line to \"/etc/sysctl.conf\" or a configuration file in the\n/etc/sysctl.d/ directory (or modify the line to have the required value):\n\n net.ipv4.conf.all.accept_redirects = 0\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to ignore IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.accept_redirects = 0 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-73177": { + "describe__deleted": " describe command('nmcli device') do\n its('stdout.strip') { should_not match %r{wifi connected} }\n end", "tags": { - "check_id": "C-73301r1_chk", - "severity": "medium", - "gid": "V-73177", - "rid": "SV-87829r2_rule", - "stig_id": "RHEL-07-041010", - "gtitle": "SRG-OS-000424-GPOS-00188", - "fix_id": "F-79623r1_fix", - "cci": [ - "CCI-001443", - "CCI-001444", - "CCI-002418" - ], - "nist": [ - "AC-18 (1)", - "AC-18 (1)", - "SC-8" - ] + "check_id__added": "C-73301r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-73177" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.", - "desc": "[\"The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat all wireless network adapters are disabled.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." + }, + "desc": { + "__old": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.", + "__new": "The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources." + }, "descs": { - "check": "Verify that there are no wireless interfaces configured on the system.\n\nThis is N/A for systems that do not have wireless network adapters.\n\nCheck for the presence of active wireless interfaces with the following command:\n\n# nmcli device\nDEVICE TYPE STATE\neth0 ethernet connected\nwlp3s0 wifi disconnected\nlo loopback unmanaged\n\nIf a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.", - "fix": "Configure the system to disable all wireless network interfaces with the following command:\n\n#nmcli radio wifi off" + "default__deleted": "The use of wireless networking can introduce many different attack\nvectors into the organization's network. Common attack vectors such as\nmalicious association and ad hoc networks will allow an attacker to spoof a\nwireless access point (AP), allowing validated systems to connect to the\nmalicious AP and enabling the attacker to monitor and record network traffic.\nThese malicious APs can also serve to create a man-in-the-middle attack or be\nused to create a denial of service to valid network resources.", + "rationale__deleted": "", + "check": { + "__old": "Verify that there are no wireless interfaces configured on the system.\n\n This is N/A for systems that do not have wireless network adapters.\n\n Check for the presence of active wireless interfaces with the following\ncommand:\n\n # nmcli device\n DEVICE TYPE STATE\n eth0 ethernet connected\n wlp3s0 wifi disconnected\n lo loopback unmanaged\n\n If a wireless interface is configured and its use on the system is not\ndocumented with the Information System Security Officer (ISSO), this is a\nfinding.", + "__new": "Verify that there are no wireless interfaces configured on the system.\n\nThis is N/A for systems that do not have wireless network adapters.\n\nCheck for the presence of active wireless interfaces with the following command:\n\n# nmcli device\nDEVICE TYPE STATE\neth0 ethernet connected\nwlp3s0 wifi disconnected\nlo loopback unmanaged\n\nIf a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding." + }, + "fix": { + "__old": "Configure the system to disable all wireless network interfaces with the\nfollowing command:\n\n #nmcli radio wifi off", + "__new": "Configure the system to disable all wireless network interfaces with the following command:\n\n#nmcli radio wifi off" + } } }, "V-77819": { + "describe__deleted": " multifactor_enabled = input('multifactor_enabled')\n dconf_user = input('dconf_user')\n\n if package('gnome-desktop3').installed? && (package('pcsc-lite').installed? || package('esc').installed?)\n impact 0.5\n if !dconf_user.nil? && command('whoami').stdout.strip == 'root'\n describe command(\"sudo -u #{dconf_user} dconf read /org/gnome/login-screen/enable-smartcard-authentication\") do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n else\n describe command(\"dconf read /org/gnome/login-screen/enable-smartcard-authentication\") do\n its('stdout.strip') { should eq multifactor_enabled.to_s }\n end\n end\n else\n impact 0.0\n if !package('gnome-desktop3').installed?\n describe \"The GNOME desktop is not installed\" do\n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end\n end\n\n if !package('pcsc-lite').installed?\n describe \"The pcsc-lite package is not installed\" do\n skip \"The pcsc-lite package is not installed, this control is Not Applicable.\"\n end\n end\n if !package('esc').installed?\n describe \"The esc package is not installed\" do\n skip \"The esc package is not installed, this control is Not Applicable.\"\n end\n end\n end", "tags": { - "check_id": "C-77437r2_chk", - "severity": "medium", - "gid": "V-77819", - "rid": "SV-92515r2_rule", - "stig_id": "RHEL-07-010061", - "gtitle": "SRG-OS-000375-GPOS-00160", - "fix_id": "F-84519r4_fix", - "cci": [ - "CCI-001948", - "CCI-001953", - "CCI-001954" - ], - "nist": [ - "IA-2 (11)", - "IA-2 (12)", - "IA-2 (12)" - ] + "check_id__added": "C-77437r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-77819" - ], - "title": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.", - "desc": "[\"To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.\\n\\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\\n\\nSatisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must uniquely identify\nand must authenticate users using multifactor authentication via a graphical\nuser logon.", + "__new": "The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon." + }, + "desc": { + "__old": "To assure accountability and prevent unauthenticated access, users\nmust be identified and authenticated to prevent potential misuse and compromise\nof the system.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.", + "__new": "To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.\n\n" + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nDetermine which profile the system database is using with the following command:\n\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nNote: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than local is being used.\n\n# grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n\nenable-smartcard-authentication=true\n\nIf \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding.", - "fix": "Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example is using the database local for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/00-defaults\n\nEdit \"[org/gnome/login-screen]\" and add or update the following line:\nenable-smartcard-authentication=true \n\nUpdate the system databases:\n# dconf update" + "default__deleted": "To assure accountability and prevent unauthenticated access, users\nmust be identified and authenticated to prevent potential misuse and compromise\nof the system.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification card and the DoD Common Access\nCard.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system uniquely identifies and authenticates users\nusing multifactor authentication via a graphical user logon.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Determine which profile the system database is using with the following\ncommand:\n\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Note: The example is using the database local for the system, so the path\nis \"/etc/dconf/db/local.d\". This path must be modified if a database other\nthan local is being used.\n\n # grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n\n enable-smartcard-authentication=true\n\n If \"enable-smartcard-authentication\" is set to \"false\" or the keyword\nis missing, this is a finding.", + "__new": "Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. \n\nDetermine which profile the system database is using with the following command:\n\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nNote: The example is using the database local for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than local is being used.\n\n# grep enable-smartcard-authentication /etc/dconf/db/local.d/*\n\nenable-smartcard-authentication=true\n\nIf \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to uniquely identify and authenticate users\nusing multifactor authentication via a graphical user logon.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example is using the database local for the system, so if the\nsystem is using another database in \"/etc/dconf/profile/user\", the file\nshould be created under the appropriate subdirectory.\n\n # touch /etc/dconf/db/local.d/00-defaults\n\n Edit \"[org/gnome/login-screen]\" and add or update the following line:\n enable-smartcard-authentication=true\n\n Update the system databases:\n # dconf update", + "__new": "Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.\n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example is using the database local for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/00-defaults\n\nEdit \"[org/gnome/login-screen]\" and add or update the following line:\nenable-smartcard-authentication=true \n\nUpdate the system databases:\n# dconf update" + } } }, "V-77821": { + "describe__deleted": " describe kernel_module('dccp') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end", "tags": { - "check_id": "C-77439r11_chk", - "severity": "medium", - "gid": "V-77821", - "rid": "SV-92517r3_rule", - "stig_id": "RHEL-07-020101", - "gtitle": "SRG-OS-000378-GPOS-00163", - "fix_id": "F-84521r3_fix", - "cci": [ - "CCI-001958" - ], - "nist": [ - "IA-3" - ] + "check_id__added": "C-77439r11_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-77821" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.", - "desc": "[\"Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the Datagram Congestion Control Protocol (DCCP) kernel module is disabled\nunless required.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required." + }, + "desc": { + "__old": "Disabling DCCP protects the system against exploitation of any flaws\nin the protocol implementation.", + "__new": "Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation." + }, "descs": { - "check": "Verify the operating system disables the ability to load the DCCP kernel module.\n\n# grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall dccp /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the DCCP kernel module.\n\nCheck to see if the DCCP kernel module is disabled with the following command:\n\n# grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n\nblacklist dccp\n\nIf the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", - "fix": "Configure the operating system to disable the ability to use the DCCP kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/dccp.conf\n\nAdd the following line to the created file:\n\ninstall dccp /bin/true\n\nEnsure that the DCCP module is blacklisted: \n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist dccp" + "default__deleted": "Disabling DCCP protects the system against exploitation of any flaws\nin the protocol implementation.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system disables the ability to load the DCCP kernel\nmodule.\n\n # grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\n install dccp /bin/true\n\n If the command does not return any output, or the line is commented out,\nand use of DCCP is not documented with the Information System Security Officer\n(ISSO) as an operational requirement, this is a finding.\n\n Verify the operating system disables the ability to use the DCCP kernel\nmodule.\n\n Check to see if the DCCP kernel module is disabled with the following\ncommand:\n\n # grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n\n blacklist dccp\n\n If the command does not return any output or the output is not \"blacklist\ndccp\", and use of the dccp kernel module is not documented with the\nInformation System Security Officer (ISSO) as an operational requirement, this\nis a finding.", + "__new": "Verify the operating system disables the ability to load the DCCP kernel module.\n\n# grep -r dccp /etc/modprobe.d/* | grep -i \"/bin/true\" | grep -v \"^#\"\n\ninstall dccp /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the DCCP kernel module.\n\nCheck to see if the DCCP kernel module is disabled with the following command:\n\n# grep -i dccp /etc/modprobe.d/* | grep -i \"blacklist\" | grep -v \"^#\"\n\nblacklist dccp\n\nIf the command does not return any output or the output is not \"blacklist dccp\", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable the ability to use the DCCP\nkernel module.\n\n Create a file under \"/etc/modprobe.d\" with the following command:\n\n # touch /etc/modprobe.d/dccp.conf\n\n Add the following line to the created file:\n\n install dccp /bin/true\n\n Ensure that the DCCP module is blacklisted:\n\n # vi /etc/modprobe.d/blacklist.conf\n\n Add or update the line:\n\n blacklist dccp", + "__new": "Configure the operating system to disable the ability to use the DCCP kernel module.\n\nCreate a file under \"/etc/modprobe.d\" with the following command:\n\n# touch /etc/modprobe.d/dccp.conf\n\nAdd the following line to the created file:\n\ninstall dccp /bin/true\n\nEnsure that the DCCP module is blacklisted: \n\n# vi /etc/modprobe.d/blacklist.conf\n\nAdd or update the line:\n\nblacklist dccp" + } } }, "V-77823": { + "describe__deleted": " describe command(\"grep -i execstart /usr/lib/systemd/system/rescue.service\") do\n its('stdout.strip') { should match %r{/usr/sbin/sulogin} }\n end", "tags": { - "check_id": "C-77441r2_chk", - "severity": "medium", - "gid": "V-77823", - "rid": "SV-92519r2_rule", - "stig_id": "RHEL-07-010481", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-84523r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-77441r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-77823" - ], - "title": "The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must require\nauthentication upon booting into single-user and maintenance modes.", + "__new": "The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes." + }, + "desc": { + "__old": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system.", + "__new": "If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system." + }, "descs": { - "check": "Verify the operating system must require authentication upon booting into single-user and maintenance modes.\n\nCheck that the operating system requires authentication upon booting into single-user mode with the following command:\n\n# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n\nIf \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding.", - "fix": "Configure the operating system to require authentication upon booting into single-user and maintenance modes.\n\nAdd or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" + "default__deleted": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system must require authentication upon booting into\nsingle-user and maintenance modes.\n\n Check that the operating system requires authentication upon booting into\nsingle-user mode with the following command:\n\n # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail\n--no-block default\"\n\n If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is\na finding.", + "__new": "Verify the operating system must require authentication upon booting into single-user and maintenance modes.\n\nCheck that the operating system requires authentication upon booting into single-user mode with the following command:\n\n# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"\n\nIf \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to require authentication upon booting into\nsingle-user and maintenance modes.\n\n Add or modify the \"ExecStart\" line in\n\"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n\n ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail\n--no-block default\"", + "__new": "Configure the operating system to require authentication upon booting into single-user and maintenance modes.\n\nAdd or modify the \"ExecStart\" line in \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\":\n\nExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" + } } }, "V-77825": { + "describe__deleted": " randomize_va_space = input('randomize_va_space')\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should eq randomize_va_space }\n end", "tags": { - "check_id": "C-77449r3_chk", - "severity": "medium", - "gid": "V-77825", - "rid": "SV-92521r2_rule", - "stig_id": "RHEL-07-040201", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-84531r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-77449r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-77825" - ], - "title": "The Red Hat Enterprise Linux operating system must implement virtual address space randomization.", - "desc": "[\"Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must implement virtual\naddress space randomization.", + "__new": "The Red Hat Enterprise Linux operating system must implement virtual address space randomization." + }, + "desc": { + "__old": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return-oriented programming (ROP)\ntechniques.", + "__new": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques." + }, "descs": { - "check": "Verify the operating system implements virtual address space randomization.\n\n# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n# /sbin/sysctl -a | grep kernel.randomize_va_space \n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding.", - "fix": "Configure the operating system implement virtual address space randomization.\n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nkernel.randomize_va_space = 2\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "Address space layout randomization (ASLR) makes it more difficult for\nan attacker to predict the location of attack code he or she has introduced\ninto a process's address space during an attempt at exploitation. Additionally,\nASLR also makes it more difficult for an attacker to know the location of\nexisting code in order to repurpose it using return-oriented programming (ROP)\ntechniques.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system implements virtual address space randomization.\n\n # grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*\n\n kernel.randomize_va_space = 2\n\n If \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf\nfile or in the /etc/sysctl.d/ directory, is commented out or does not have a\nvalue of \"2\", this is a finding.\n\n Check that the operating system implements virtual address space\nrandomization with the following command:\n\n # /sbin/sysctl -a | grep kernel.randomize_va_space\n\n kernel.randomize_va_space = 2\n\n If \"kernel.randomize_va_space\" does not have a value of \"2\", this is a\nfinding.", + "__new": "Verify the operating system implements virtual address space randomization.\n\n# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of \"2\", this is a finding.\n\nCheck that the operating system implements virtual address space randomization with the following command:\n\n# /sbin/sysctl -a | grep kernel.randomize_va_space \n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system implement virtual address space\nrandomization.\n\n Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a config file in the /etc/sysctl.d/ directory\n(or modify the line to have the required value):\n\n kernel.randomize_va_space = 2\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Configure the operating system implement virtual address space randomization.\n\nSet the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nkernel.randomize_va_space = 2\n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-78995": { + "describe__deleted": " if package('gnome-desktop3').installed?\n describe command(\"gsettings writable org.gnome.desktop.screensaver lock-enabled\") do\n its('stdout.strip') { should cmp 'false' }\n end\n else\n impact 0.0\n describe \"The GNOME desktop is not installed\" do\n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end\n end ", "tags": { - "check_id": "C-78583r1_chk", - "severity": "medium", - "gid": "V-78995", - "rid": "SV-93701r3_rule", - "stig_id": "RHEL-07-010062", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-85745r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-78583r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-78995" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.\\nfalse\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent a user from\noverriding the screensaver lock-enabled setting for the graphical user\ninterface.", + "__new": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." + }, + "desc": { + "__old": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n The ability to enable/disable a session lock is given to the user by\ndefault. Disabling the user’s ability to disengage the graphical user interface\nsession lock provides the assurance that all sessions will lock after the\nspecified period of time.", + "__new": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock-enabled setting:\n\n/org/gnome/desktop/screensaver/lock-enabled" + "default__deleted": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n The ability to enable/disable a session lock is given to the user by\ndefault. Disabling the user’s ability to disengage the graphical user interface\nsession lock provides the assurance that all sessions will lock after the\nspecified period of time.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents a user from overriding the screensaver\nlock-enabled setting for the graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable. The screen program must be installed to lock sessions on the\nconsole.\n\n Determine which profile the system database is using with the following\ncommand:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check for the lock-enabled setting with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n # grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/lock-enabled\n\n If the command does not return a result, this is a finding.", + "__new": "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the lock-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return a result, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent a user from overriding a\nscreensaver lock after a 15-minute period of inactivity for graphical user\ninterfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n # touch /etc/dconf/db/local.d/locks/session\n\n Add the setting to lock the screensaver lock-enabled setting:\n\n /org/gnome/desktop/screensaver/lock-enabled", + "__new": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver lock-enabled setting:\n\n/org/gnome/desktop/screensaver/lock-enabled" + } } }, "V-78997": { + "describe__deleted": " if package('gnome-desktop3').installed?\n impact 0.5\n else\n impact 0.0\n end\n\n describe command(\"gsettings writable org.gnome.desktop.screensaver idle-activation-enabled\") do\n its('stdout.strip') { should cmp 'false' }\n end if package('gnome-desktop3').installed?\n\n describe \"The GNOME desktop is not installed\" do\n skip \"The GNOME desktop is not installed, this control is Not Applicable.\"\n end if !package('gnome-desktop3').installed?", "tags": { - "check_id": "C-78585r1_chk", - "severity": "medium", - "gid": "V-78997", - "rid": "SV-93703r2_rule", - "stig_id": "RHEL-07-010101", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-85747r1_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id__added": "C-78585r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-78997" - ], - "title": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\n\\nThe session lock is implemented at the point where session activity can be determined.\\n\\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must prevent a user from\noverriding the screensaver idle-activation-enabled setting for the graphical\nuser interface.", + "__new": "The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface." + }, + "desc": { + "__old": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n The ability to enable/disable a session lock is given to the user by\ndefault. Disabling the user's ability to disengage the graphical user interface\nsession lock provides the assurance that all sessions will lock after the\nspecified period of time.", + "__new": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time." + }, + "impact": { + "__old": 0, + "__new": 0.5 + }, "descs": { - "check": "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver idle-activation-enabled setting:\n\n/org/gnome/desktop/screensaver/idle-activation-enabled" + "default__deleted": "A session lock is a temporary action taken when a user stops work and\nmoves away from the immediate physical vicinity of the information system but\ndoes not want to log out because of the temporary nature of the absence.\n\n The session lock is implemented at the point where session activity can be\ndetermined.\n\n The ability to enable/disable a session lock is given to the user by\ndefault. Disabling the user's ability to disengage the graphical user interface\nsession lock provides the assurance that all sessions will lock after the\nspecified period of time.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system prevents a user from overriding the screensaver\nidle-activation-enabled setting for the graphical user interface.\n\n Note: If the system does not have GNOME installed, this requirement is Not\nApplicable. The screen program must be installed to lock sessions on the\nconsole.\n\n Determine which profile the system database is using with the following\ncommand:\n # grep system-db /etc/dconf/profile/user\n\n system-db:local\n\n Check for the idle-activation-enabled setting with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nthe path is \"/etc/dconf/db/local.d\". This path must be modified if a database\nother than \"local\" is being used.\n\n # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n /org/gnome/desktop/screensaver/idle-activation-enabled\n\n If the command does not return a result, this is a finding.", + "__new": "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. \n\nNote: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.\n\nDetermine which profile the system database is using with the following command:\n# grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck for the idle-activation-enabled setting with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/idle-activation-enabled\n\nIf the command does not return a result, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent a user from overriding a\nscreensaver lock after a 15-minute period of inactivity for graphical user\ninterfaces.\n\n Create a database to contain the system-wide screensaver settings (if it\ndoes not already exist) with the following command:\n\n Note: The example below is using the database \"local\" for the system, so\nif the system is using another database in \"/etc/dconf/profile/user\", the\nfile should be created under the appropriate subdirectory.\n\n # touch /etc/dconf/db/local.d/locks/session\n\n Add the setting to lock the screensaver idle-activation-enabled setting:\n\n /org/gnome/desktop/screensaver/idle-activation-enabled", + "__new": "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n# touch /etc/dconf/db/local.d/locks/session\n\nAdd the setting to lock the screensaver idle-activation-enabled setting:\n\n/org/gnome/desktop/screensaver/idle-activation-enabled" + } } }, "V-78999": { + "describe__deleted": " describe auditd.syscall(\"create_module\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"create_module\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-78587r3_chk", - "severity": "medium", - "gid": "V-78999", - "rid": "SV-93705r3_rule", - "stig_id": "RHEL-07-030819", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-85749r4_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-78587r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-78999" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe create_module syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw create_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw create_module /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S create_module -k module-change\n\n -a always,exit -F arch=b64 -S create_module -k module-change\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"create_module\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw create_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"create_module\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S create_module -k module-change\n\n -a always,exit -F arch=b64 -S create_module -k module-change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" syscall occur.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S create_module -k module-change\n\n-a always,exit -F arch=b64 -S create_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-79001": { + "describe__deleted": " describe auditd.syscall(\"finit_module\").where {arch == \"b32\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n if os.arch == 'x86_64'\n describe auditd.syscall(\"finit_module\").where {arch == \"b64\"} do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end", "tags": { - "check_id": "C-78589r3_chk", - "severity": "medium", - "gid": "V-79001", - "rid": "SV-93707r3_rule", - "stig_id": "RHEL-07-030821", - "gtitle": "SRG-OS-000471-GPOS-00216", - "fix_id": "F-85751r3_fix", - "cci": [ - "CCI-000172" - ], - "nist": [ - "AU-12 c" - ] + "check_id__added": "C-78589r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-79001" - ], - "title": "The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.", - "desc": "[\"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \\n\\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\\n\\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must audit all uses of\nthe finit_module syscall.", + "__new": "The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall." + }, + "desc": { + "__old": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "__new": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\n" + }, "descs": { - "check": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw finit_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"finit_module\" syscall, this is a finding.", - "fix": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + "default__deleted": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system generates audit records when\nsuccessful/unsuccessful attempts to use the \"finit_module\" syscall occur.\n\n Check the auditing rules in \"/etc/audit/audit.rules\" with the following\ncommand:\n\n # grep -iw finit_module /etc/audit/audit.rules\n\n -a always,exit -F arch=b32 -S finit_module -k module-change\n\n -a always,exit -F arch=b64 -S finit_module -k module-change\n\n If both the \"b32\" and \"b64\" audit rules are not defined for the\n\"finit_module\" syscall, this is a finding.", + "__new": "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nCheck the auditing rules in \"/etc/audit/audit.rules\" with the following command:\n\n# grep -iw finit_module /etc/audit/audit.rules\n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"finit_module\" syscall, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"finit_module\" syscall occur.\n\n Add or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n -a always,exit -F arch=b32 -S finit_module -k module-change\n\n -a always,exit -F arch=b64 -S finit_module -k module-change\n\n The audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"finit_module\" syscall occur. \n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\": \n\n-a always,exit -F arch=b32 -S finit_module -k module-change\n\n-a always,exit -F arch=b64 -S finit_module -k module-change\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, "V-81003": { + "describe__deleted": " # Get the content of /etc/pam.d/passwd as an array\n pam_passwd_content = file('/etc/pam.d/passwd').content.strip.split(\"\\n\")\n # Make a new array of any line matching the target pattern:\n # /password\\s+substack\\s+system-auth\n matching_lines = pam_passwd_content.select { |i| i.match(/password\\s+substack\\s+system-auth/) }\n\n describe '/etc/pam.d/passwd' do\n subject { matching_lines }\n it 'substacks system-auth' do\n expect(subject.length).to(eql 1)\n end\n end", "tags": { - "check_id": "C-80717r1_chk", - "severity": "medium", - "gid": "V-81003", - "rid": "SV-95715r1_rule", - "stig_id": "RHEL-07-010118", - "gtitle": "SRG-OS-000069-GPOS-00037", - "fix_id": "F-87837r1_fix", - "cci": [ - "CCI-000192" - ], - "nist": [ - "IA-5 (1) (a)" - ] + "check_id__added": "C-80717r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81003" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.", - "desc": "[\"Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing\npasswords.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords." + }, + "desc": { + "__old": "Pluggable authentication modules (PAM) allow for a modular approach to\nintegrating authentication methods. PAM operates in a top-down processing model\nand if the modules are not listed in the correct order, an important security\nfunction could be bypassed if stack entries are not centralized.", + "__new": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized." + }, "descs": { - "check": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n\n# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\npassword substack system-auth\n\nIf no results are returned, the line is commented out, this is a finding.", - "fix": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n\nAdd the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n\npassword substack system-auth" + "default__deleted": "Pluggable authentication modules (PAM) allow for a modular approach to\nintegrating authentication methods. PAM operates in a top-down processing model\nand if the modules are not listed in the correct order, an important security\nfunction could be bypassed if stack entries are not centralized.", + "rationale__deleted": "", + "check": { + "__old": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth\nwhen changing passwords:\n\n # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\n password substack system-auth\n\n If no results are returned, the line is commented out, this is a finding.", + "__new": "Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:\n\n# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth\npassword substack system-auth\n\nIf no results are returned, the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n\n Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have\nthe required value):\n\n password substack system-auth", + "__new": "Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.\n\nAdd the following line to \"/etc/pam.d/passwd\" (or modify the line to have the required value):\n\npassword substack system-auth" + } } }, "V-81005": { + "describe__deleted": " if file('/sys/firmware/efi').exist?\n impact 0.0\n describe \"System running UEFI\" do\n skip \"The System is running UEFI, this control is Not Applicable.\"\n end\n else\n unless os[:release] >= \"7.2\"\n impact 0.0\n describe \"System running version of RHEL prior to 7.2\" do\n skip \"The System is running an outdated version of RHEL, this control is Not Applicable.\"\n end\n else\n impact 0.7\n input('grub_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include \"grub.pbkdf2.sha512\"}\n end\n end\n\n describe parse_config_file(input('grub_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' } \n end\n end\n end", "tags": { - "check_id": "C-80719r2_chk", - "severity": "high", - "gid": "V-81005", - "rid": "SV-95717r1_rule", - "stig_id": "RHEL-07-010482", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-87839r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-80719r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81005" - ], - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.7, + "title": { + "__old": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a\nBasic Input/Output System (BIOS) must require authentication upon booting into\nsingle-user and maintenance modes.", + "__new": "Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." + }, + "desc": { + "__old": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "__new": "If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu." + }, "descs": { - "check": "For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -iw grub2_password /boot/grub2/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/grub2/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" + "default__deleted": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "rationale__deleted": "", + "check": { + "__old": "For systems that use UEFI, this is Not Applicable.\n\n For systems that are running a version of RHEL prior to 7.2, this is Not\nApplicable.\n\n Check to see if an encrypted root password is set. On systems that use a\nBIOS, use the following command:\n\n # grep -iw grub2_password /boot/grub2/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the root password does not begin with \"grub.pbkdf2.sha512\", this is a\nfinding.\n\n Verify that the \"root\" account is set as the \"superusers\":\n\n # grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"root\"\n export superusers\n\n If \"superusers\" is not set to \"root\", this is a finding.", + "__new": "For systems that use UEFI, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n# grep -iw grub2_password /boot/grub2/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/grub2/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding." + }, + "fix": { + "__old": "Configure the system to encrypt the boot password for root.\n\n Generate an encrypted grub2 password for root with the following command:\n\n Note: The hash generated is an example.\n\n # grub2-setpassword\n Enter password:\n Confirm password:\n\n Edit the /boot/grub2/grub.cfg file and add or modify the following lines in\nthe \"### BEGIN /etc/grub.d/01_users ###\" section:\n\n set superusers=\"root\"\n export superusers", + "__new": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/grub2/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" + } } }, "V-81007": { + "describe__deleted": " unless file('/sys/firmware/efi').exist?\n impact 0.0\n describe \"System running BIOS\" do\n skip \"The System is running BIOS, this control is Not Applicable.\"\n end\n else\n unless os[:release] >= \"7.2\"\n impact 0.0\n describe \"System running version of RHEL prior to 7.2\" do\n skip \"The System is running an outdated version of RHEL, this control is Not Applicable.\"\n end\n else\n impact 0.7\n input('grub_uefi_user_boot_files').each do |grub_user_file|\n describe parse_config_file(grub_user_file) do\n its('GRUB2_PASSWORD') { should include \"grub.pbkdf2.sha512\"}\n end\n end\n\n describe parse_config_file(input('grub_uefi_main_cfg')) do\n its('set superusers') { should cmp '\"root\"' } \n end\n end\n end", "tags": { - "check_id": "C-80721r2_chk", - "severity": "high", - "gid": "V-81007", - "rid": "SV-95719r1_rule", - "stig_id": "RHEL-07-010491", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-87841r2_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id__added": "C-80721r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81007" - ], - "title": "Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.7, + "title": { + "__old": "Red Hat Enterprise Linux operating systems version 7.2 or newer using\nUnified Extensible Firmware Interface (UEFI) must require authentication upon\nbooting into single-user and maintenance modes.", + "__new": "Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." + }, + "desc": { + "__old": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "__new": "If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding.", - "fix": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" + "default__deleted": "If the system does not require valid root authentication before it\nboots into single-user or maintenance mode, anyone who invokes single-user or\nmaintenance mode is granted privileged access to all files on the system. GRUB\n2 is the default boot loader for RHEL 7 and is designed to require a password\nto boot into single-user mode or make modifications to the boot menu.", + "rationale__deleted": "", + "check": { + "__old": "For systems that use BIOS, this is Not Applicable.\n\n For systems that are running a version of RHEL prior to 7.2, this is Not\nApplicable.\n\n Check to see if an encrypted root password is set. On systems that use\nUEFI, use the following command:\n\n # grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\n If the root password does not begin with \"grub.pbkdf2.sha512\", this is a\nfinding.\n\n Verify that the \"root\" account is set as the \"superusers\":\n\n # grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"root\"\n export superusers\n\n If \"superusers\" is not set to \"root\", this is a finding.", + "__new": "For systems that use BIOS, this is Not Applicable.\n\nFor systems that are running a version of RHEL prior to 7.2, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that the \"root\" account is set as the \"superusers\":\n\n# grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\n set superusers=\"root\"\n export superusers\n\nIf \"superusers\" is not set to \"root\", this is a finding." + }, + "fix": { + "__old": "Configure the system to encrypt the boot password for root.\n\n Generate an encrypted grub2 password for root with the following command:\n\n Note: The hash generated is an example.\n\n # grub2-setpassword\n Enter password:\n Confirm password:\n\n Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following\nlines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\n set superusers=\"root\"\n export superusers", + "__new": "Configure the system to encrypt the boot password for root.\n\nGenerate an encrypted grub2 password for root with the following command:\n\nNote: The hash generated is an example.\n \n# grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"root\"\nexport superusers" + } } }, "V-81009": { + "describe__deleted": " describe mount('/dev/shm') do\n its('options') { should include 'nodev' }\n end", "tags": { - "check_id": "C-80723r2_chk", - "severity": "low", - "gid": "V-81009", - "rid": "SV-95721r2_rule", - "stig_id": "RHEL-07-021022", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87843r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80723r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81009" - ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.", - "desc": "[\"The \\\"nodev\\\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nodev option.", + "__new": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option." + }, + "desc": { + "__old": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "__new": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify that the \"nodev\" option is configured for /dev/shm:\n\n\n# cat /etc/fstab | grep /dev/shm\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nodev\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n# mount | grep \"/dev/shm\" | grep nodev\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nodev\" option." + "default__deleted": "The \"nodev\" mount option causes the system to not interpret\ncharacter or block special devices. Executing character or block special\ndevices from untrusted file systems increases the opportunity for unprivileged\nusers to attain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the \"nodev\" option is configured for /dev/shm:\n\n\n # cat /etc/fstab | grep /dev/shm\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If any results are returned and the \"nodev\" option is not listed, this is\na finding.\n\n Verify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n # mount | grep \"/dev/shm\" | grep nodev\n\n If no results are returned, this is a finding.", + "__new": "Verify that the \"nodev\" option is configured for /dev/shm:\n\n\n# cat /etc/fstab | grep /dev/shm\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nodev\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nodev\" option:\n\n# mount | grep \"/dev/shm\" | grep nodev\n\nIf no results are returned, this is a finding." + }, + "fix": { + "__old": "Configure the system so that /dev/shm is mounted with the\n\"nodev\" option.", + "__new": "Configure the system so that /dev/shm is mounted with the \"nodev\" option." + } } }, "V-81011": { + "describe__deleted": " describe mount('/dev/shm') do\n its('options') { should include 'nosuid' }\n end", "tags": { - "check_id": "C-80725r2_chk", - "severity": "low", - "gid": "V-81011", - "rid": "SV-95723r2_rule", - "stig_id": "RHEL-07-021023", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87845r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80725r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81011" - ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system to not execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe nosuid option.", + "__new": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option." + }, + "desc": { + "__old": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "__new": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify that the \"nosuid\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nosuid\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n# mount | grep \"/dev/shm\" | grep nosuid\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"nosuid\" option." + "default__deleted": "The \"nosuid\" mount option causes the system to not execute\n\"setuid\" and \"setgid\" files with owner privileges. This option must be used\nfor mounting any file system not containing approved \"setuid\" and \"setguid\"\nfiles. Executing files from untrusted file systems increases the opportunity\nfor unprivileged users to attain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the \"nosuid\" option is configured for /dev/shm:\n\n # cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If any results are returned and the \"nosuid\" option is not listed, this\nis a finding.\n\n Verify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n # mount | grep \"/dev/shm\" | grep nosuid\n\n If no results are returned, this is a finding.", + "__new": "Verify that the \"nosuid\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"nosuid\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"nosuid\" option:\n\n# mount | grep \"/dev/shm\" | grep nosuid\n\nIf no results are returned, this is a finding." + }, + "fix": { + "__old": "Configure the system so that /dev/shm is mounted with the\n\"nosuid\" option.", + "__new": "Configure the system so that /dev/shm is mounted with the \"nosuid\" option." + } } }, "V-81013": { + "describe__deleted": " describe mount('/dev/shm') do\n its('options') { should include 'noexec' }\n end", "tags": { - "check_id": "C-80727r2_chk", - "severity": "low", - "gid": "V-81013", - "rid": "SV-95725r2_rule", - "stig_id": "RHEL-07-021024", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-87847r2_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id__added": "C-80727r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "low" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81013" - ], - "title": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.", - "desc": "[\"The \\\"noexec\\\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", - "impact": 0.3, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must mount /dev/shm with\nthe noexec option.", + "__new": "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option." + }, + "desc": { + "__old": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "__new": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." + }, "descs": { - "check": "Verify that the \"noexec\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"noexec\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n# mount | grep \"/dev/shm\" | grep noexec\n\nIf no results are returned, this is a finding.", - "fix": "Configure the system so that /dev/shm is mounted with the \"noexec\" option." + "default__deleted": "The \"noexec\" mount option causes the system to not execute binary\nfiles. This option must be used for mounting any file system not containing\napproved binary files as they may be incompatible. Executing files from\nuntrusted file systems increases the opportunity for unprivileged users to\nattain unauthorized administrative access.", + "rationale__deleted": "", + "check": { + "__old": "Verify that the \"noexec\" option is configured for /dev/shm:\n\n # cat /etc/fstab | grep /dev/shm\n\n tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\n If any results are returned and the \"noexec\" option is not listed, this\nis a finding.\n\n Verify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n # mount | grep \"/dev/shm\" | grep noexec\n\n If no results are returned, this is a finding.", + "__new": "Verify that the \"noexec\" option is configured for /dev/shm:\n\n# cat /etc/fstab | grep /dev/shm\n\ntmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0\n\nIf any results are returned and the \"noexec\" option is not listed, this is a finding.\n\nVerify \"/dev/shm\" is mounted with the \"noexec\" option:\n\n# mount | grep \"/dev/shm\" | grep noexec\n\nIf no results are returned, this is a finding." + }, + "fix": { + "__old": "Configure the system so that /dev/shm is mounted with the\n\"noexec\" option.", + "__new": "Configure the system so that /dev/shm is mounted with the \"noexec\" option." + } } }, "V-81015": { + "describe__deleted": " test_file = '/etc/audisp/plugins.d/au-remote.conf'\n\n if file(test_file).exist?\n describe parse_config_file(test_file) do\n its('active') { should match %r{yes$} }\n end\n else\n describe \"File '#{test_file}' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '#{test_file}' cannot be found. This check must be performed manually\"\n end\n end", "tags": { - "check_id": "C-80729r1_chk", - "severity": "medium", - "gid": "V-81015", - "rid": "SV-95727r1_rule", - "stig_id": "RHEL-07-030200", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87849r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80729r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81015" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWithout the configuration of the \\\"au-remote\\\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured to\nuse the au-remote plugin.", + "__new": "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n Without the configuration of the \"au-remote\" plugin, the audisp-remote\ndaemon will not off-load the logs from the system being audited.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nWithout the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.\n\n" + }, "descs": { - "check": "Verify the \"au-remote\" plugin is active on the system:\n\n# grep \"active\" /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf the \"active\" setting is not set to \"yes\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\".\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n Without the configuration of the \"au-remote\" plugin, the audisp-remote\ndaemon will not off-load the logs from the system being audited.", + "rationale__deleted": "", + "check": { + "__old": "Verify the \"au-remote\" plugin is active on the system:\n\n # grep \"active\" /etc/audisp/plugins.d/au-remote.conf\n\n active = yes\n\n If the \"active\" setting is not set to \"yes\", or the line is commented\nout, this is a finding.", + "__new": "Verify the \"au-remote\" plugin is active on the system:\n\n# grep \"active\" /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf the \"active\" setting is not set to \"yes\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of\n\"active\" to \"yes\".\n\n The audit daemon must be restarted for changes to take effect:\n\n # service auditd restart", + "__new": "Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\".\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + } } }, "V-81017": { + "describe__deleted": " test_file = '/etc/audisp/plugins.d/au-remote.conf'\n\n if file(test_file).exist?\n describe parse_config_file(test_file) do\n its('direction') { should match %r{out$} }\n its('path') { should match %r{/sbin/audisp-remote$} }\n its('type') { should match %r{always$} }\n end\n else\n describe \"File '#{test_file}' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '#{test_file}' cannot be found. This check must be performed manually\"\n end\n end", "tags": { - "check_id": "C-80731r2_chk", - "severity": "medium", - "gid": "V-81017", - "rid": "SV-95729r1_rule", - "stig_id": "RHEL-07-030201", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87851r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80731r2_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81017" - ], - "title": "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWithout the configuration of the \\\"au-remote\\\" plugin, the audisp-remote daemon will not off load the logs from the system being audited.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must configure the\nau-remote plugin to off-load audit logs using the audisp-remote daemon.", + "__new": "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n Without the configuration of the \"au-remote\" plugin, the audisp-remote\ndaemon will not off load the logs from the system being audited.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nWithout the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off load the logs from the system being audited.\n\n" + }, "descs": { - "check": "Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon:\n\n# cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\nformat = string\n\nIf the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding.\n\nIf the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding.\n\nIf the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n Without the configuration of the \"au-remote\" plugin, the audisp-remote\ndaemon will not off load the logs from the system being audited.", + "rationale__deleted": "", + "check": { + "__old": "Verify the \"au-remote\" plugin is configured to always off-load audit logs\nusing the audisp-remote daemon:\n\n # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n\n active = yes\n direction = out\n path = /sbin/audisp-remote\n type = always\n format = string\n\n If the \"direction\" setting is not set to \"out\", or the line is\ncommented out, this is a finding.\n\n If the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line\nis commented out, this is a finding.\n\n If the \"type\" setting is not set to \"always\", or the line is commented\nout, this is a finding.", + "__new": "Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon:\n\n# cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"\n\nactive = yes\ndirection = out\npath = /sbin/audisp-remote\ntype = always\nformat = string\n\nIf the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding.\n\nIf the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding.\n\nIf the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the\nfollowing values:\n\n direction = out\n path = /sbin/audisp-remote\n type = always\n\n The audit daemon must be restarted for changes to take effect:\n\n # service auditd restart", + "__new": "Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:\n\ndirection = out\npath = /sbin/audisp-remote\ntype = always\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + } } }, "V-81019": { + "describe__deleted": " if file('/etc/audisp/audispd.conf').exist?\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('overflow_action') { should match %r{syslog$|single$|halt$}i }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end", "tags": { - "check_id": "C-80735r1_chk", - "severity": "medium", - "gid": "V-81019", - "rid": "SV-95731r1_rule", - "stig_id": "RHEL-07-030210", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87853r3_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80735r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81019" - ], - "title": "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWhen the remote buffer is full, audit logs will not be collected and sent to the central log server.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must take appropriate\naction when the audisp-remote buffer is full.", + "__new": "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n When the remote buffer is full, audit logs will not be collected and sent\nto the central log server.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nWhen the remote buffer is full, audit logs will not be collected and sent to the central log server.\n\n" + }, "descs": { - "check": "Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:\n\n# grep \"overflow_action\" /etc/audisp/audispd.conf\n\noverflow_action = syslog\n\nIf the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n\noverflow_action = syslog\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n When the remote buffer is full, audit logs will not be collected and sent\nto the central log server.", + "rationale__deleted": "", + "check": { + "__old": "Verify the audisp daemon is configured to take an appropriate action when\nthe internal queue is full:\n\n # grep \"overflow_action\" /etc/audisp/audispd.conf\n\n overflow_action = syslog\n\n If the \"overflow_action\" option is not \"syslog\", \"single\", or\n\"halt\", or the line is commented out, this is a finding.", + "__new": "Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:\n\n# grep \"overflow_action\" /etc/audisp/audispd.conf\n\noverflow_action = syslog\n\nIf the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the /etc/audisp/audispd.conf file and add or update the\n\"overflow_action\" option:\n\n overflow_action = syslog\n\n The audit daemon must be restarted for changes to take effect:\n\n # service auditd restart", + "__new": "Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:\n\noverflow_action = syslog\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + } } }, "V-81021": { + "describe__deleted": " if file('/etc/audisp/audispd.conf').exist?\n describe parse_config_file('/etc/audisp/audispd.conf') do\n its('name_format') { should match %r{^hostname$|^fqd$|^numeric$}i }\n end\n else\n describe \"File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually\" do\n skip \"File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually\"\n end\n end", "tags": { - "check_id": "C-80737r1_chk", - "severity": "medium", - "gid": "V-81021", - "rid": "SV-95733r1_rule", - "stig_id": "RHEL-07-030211", - "gtitle": "SRG-OS-000342-GPOS-00133", - "fix_id": "F-87855r2_fix", - "cci": [ - "CCI-001851" - ], - "nist": [ - "AU-4 (1)" - ] + "check_id__added": "C-80737r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-81021" - ], - "title": "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.", - "desc": "[\"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\\n\\nOff-loading is a common process in information systems with limited audit storage capacity.\\n\\nWhen audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.\\n\\nSatisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must label all\noff-loaded audit logs before sending them to the central log server.", + "__new": "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nWhen audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.\n\n" + }, "descs": { - "check": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n\n# grep \"name_format\" /etc/audisp/audispd.conf\n\nname_format = hostname\n\nIf the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding.", - "fix": "Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n\nname_format = hostname\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + "default__deleted": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\n Off-loading is a common process in information systems with limited audit\nstorage capacity.\n\n When audit logs are not labeled before they are sent to a central log\nserver, the audit data will not be able to be analyzed and tied back to the\ncorrect system.", + "rationale__deleted": "", + "check": { + "__old": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n\n # grep \"name_format\" /etc/audisp/audispd.conf\n\n name_format = hostname\n\n If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\",\nor the line is commented out, this is a finding.", + "__new": "Verify the audisp daemon is configured to label all off-loaded audit logs:\n\n# grep \"name_format\" /etc/audisp/audispd.conf\n\nname_format = hostname\n\nIf the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Edit the /etc/audisp/audispd.conf file and add or update the\n\"name_format\" option:\n\n name_format = hostname\n\n The audit daemon must be restarted for changes to take effect:\n\n # service auditd restart", + "__new": "Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:\n\nname_format = hostname\n\nThe audit daemon must be restarted for changes to take effect:\n\n# service auditd restart" + } } }, "V-92251": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.all.rp_filter') do\n its('value') { should eq 1 }\n end", "tags": { - "check_id": "C-91431r1_chk", - "severity": "medium", - "gid": "V-92251", - "rid": "SV-102353r1_rule", - "stig_id": "RHEL-07-040611", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-98473r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-91431r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-92251" - ], - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.", - "desc": "[\"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a reverse-path\nfilter for IPv4 network traffic when possible on all interfaces.", + "__new": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." + }, + "desc": { + "__old": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "__new": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." + }, "descs": { - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\n net.ipv4.conf.all.rp_filter = 1\n\n If \"net.ipv4.conf.all.rp_filter\" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"1\", this is a finding.\n\n Check that the operating system implements the accept source route variable\nwith the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\n net.ipv4.conf.all.rp_filter = 1\n\n If the returned line does not have a value of \"1\", this is a finding.", + "__new": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.all.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.all.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-92253": { + "describe__deleted": " describe kernel_parameter('net.ipv4.conf.default.rp_filter') do\n its('value') { should eq 1 }\n end", "tags": { - "check_id": "C-91433r1_chk", - "severity": "medium", - "gid": "V-92253", - "rid": "SV-102355r1_rule", - "stig_id": "RHEL-07-040612", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-98475r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-91433r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-92253" - ], - "title": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.", - "desc": "[\"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must use a reverse-path\nfilter for IPv4 network traffic when possible by default.", + "__new": "The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default." + }, + "desc": { + "__old": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "__new": "Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." + }, "descs": { - "check": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\nnet.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding.", - "fix": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + "default__deleted": "Enabling reverse path filtering drops packets with source addresses\nthat should not have been able to be received on the interface they were\nreceived on. It should not be used on systems which are routers for complicated\nnetworks, but is helpful for end hosts and routers serving small networks.", + "rationale__deleted": "", + "check": { + "__old": "Verify the system uses a reverse-path filter for IPv4:\n\n # grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\n net.ipv4.conf.default.rp_filter = 1\n\n If \"net.ipv4.conf.default.rp_filter\" is not configured in the\n/etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or\ndoes not have a value of \"1\", this is a finding.\n\n Check that the operating system implements the accept source route variable\nwith the following command:\n\n # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\n net.ipv4.conf.default.rp_filter = 1\n\n If the returned line does not have a value of \"1\", this is a finding.", + "__new": "Verify the system uses a reverse-path filter for IPv4:\n\n# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*\nnet.ipv4.conf.default.rp_filter = 1\n\nIf \"net.ipv4.conf.default.rp_filter\" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of \"1\", this is a finding.\n\nCheck that the operating system implements the accept source route variable with the following command:\n\n# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter\nnet.ipv4.conf.default.rp_filter = 1\n\nIf the returned line does not have a value of \"1\", this is a finding." + }, + "fix": { + "__old": "Set the system to the required kernel parameter by adding the following\nline to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/\ndirectory (or modify the line to have the required value):\n\n net.ipv4.conf.default.rp_filter = 1\n\n Issue the following command to make the changes take effect:\n\n # sysctl --system", + "__new": "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):\n\nnet.ipv4.conf.default.rp_filter = 1 \n\nIssue the following command to make the changes take effect:\n\n# sysctl --system" + } } }, "V-92255": { + "describe__deleted": " custom_hips = input('custom_hips')\n\n if ! custom_hips\n describe package('MFEhiplsm') do\n it { should be_installed }\n end\n describe processes(/hipclient/) do\n it { should exist }\n end\n else\n # Special case for SELinux\n sel_mode = command('getenforce').stdout.strip\n custom_hips_daemon = input('custom_hips_daemon')\n max_daemon_processes = input('max_daemon_processes')\n\n describe.one do\n describe \"SELinux mode\" do\n subject { sel_mode }\n it { should cmp 'Enforcing' }\n end\n describe processes(/#{custom_hips_daemon}/) do\n it { should exist }\n its('count') { should be < max_daemon_processes }\n end\n end\n end", "tags": { - "check_id": "C-91435r1_chk", - "severity": "medium", - "gid": "V-92255", - "rid": "SV-102357r1_rule", - "stig_id": "RHEL-07-020019", - "gtitle": "SRG-OS-000196", - "fix_id": "F-98477r1_fix", - "cci": [ - "CCI-001263" - ], - "nist": [ - "SI-4 (5)" - ] + "check_id__added": "C-91435r1_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "medium" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-92255" - ], - "title": "The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.", - "desc": "[\"Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.false\"]", - "impact": 0.5, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must have a host-based\nintrusion detection tool installed.", + "__new": "The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed." + }, + "desc": { + "__old": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of the\nsystem, which may not otherwise exist in an organization's systems management\nregime.", + "__new": "Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime." + }, "descs": { - "check": "Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080, the preferred intrusion detection system is McAfee HBSS available through the U.S. Cyber Command (USCYBERCOM).\n\nIf another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i “hipclient”\n\nIf the MFEhiplsm package is not installed, check for another intrusion detection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine if the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the system, this is a finding.", - "fix": "Install and enable the latest McAfee HIPS package, available from USCYBERCOM.\n\nNote: If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." + "default__deleted": "Adding host-based intrusion detection tools can provide the capability\nto automatically take actions in response to malicious behavior, which can\nprovide additional agility in reacting to network threats. These tools also\noften include a reporting capability to provide network awareness of the\nsystem, which may not otherwise exist in an organization's systems management\nregime.", + "rationale__deleted": "", + "check": { + "__old": "Ask the SA or ISSO if a host-based intrusion detection application is\nloaded on the system. Per OPORD 16-0080, the preferred intrusion detection\nsystem is McAfee HBSS available through the U.S. Cyber Command (USCYBERCOM).\n\n If another host-based intrusion detection application is in use, such as\nSELinux, this must be documented and approved by the local Authorizing Official.\n\n Procedure:\n Examine the system to determine if the Host Intrusion Prevention System\n(HIPS) is installed:\n\n # rpm -qa | grep MFEhiplsm\n\n Verify that the McAfee HIPS module is active on the system:\n\n # ps -ef | grep -i “hipclient”\n\n If the MFEhiplsm package is not installed, check for another intrusion\ndetection system:\n\n # find / -name \n\n Where is the name of the primary application daemon to\ndetermine if the application is loaded on the system.\n\n Determine if the application is active on the system:\n\n # ps -ef | grep -i \n\n If the MFEhiplsm package is not installed and an alternate host-based\nintrusion detection application has not been documented for use, this is a\nfinding.\n\n If no host-based intrusion detection system is installed and running on the\nsystem, this is a finding.", + "__new": "Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080, the preferred intrusion detection system is McAfee HBSS available through the U.S. Cyber Command (USCYBERCOM).\n\nIf another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official.\n\nProcedure:\nExamine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:\n\n# rpm -qa | grep MFEhiplsm\n\nVerify that the McAfee HIPS module is active on the system:\n\n# ps -ef | grep -i “hipclient”\n\nIf the MFEhiplsm package is not installed, check for another intrusion detection system:\n\n# find / -name \n\nWhere is the name of the primary application daemon to determine if the application is loaded on the system.\n\nDetermine if the application is active on the system:\n\n# ps -ef | grep -i \n\nIf the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.\n\nIf no host-based intrusion detection system is installed and running on the system, this is a finding." + }, + "fix": { + "__old": "Install and enable the latest McAfee HIPS package, available from\nUSCYBERCOM.\n\n Note: If the system does not support the McAfee HIPS package, install and\nenable a supported intrusion detection system application and document its use\nwith the Authorizing Official.", + "__new": "Install and enable the latest McAfee HIPS package, available from USCYBERCOM.\n\nNote: If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." + } } }, "V-94843": { + "describe__deleted": " unless package('gnome-settings-daemon').installed?\n impact 0.0\n describe \"The system does not have GNOME installed\" do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n else \n describe command(\"gsettings get org.gnome.settings-daemon.media-keys logout\") do\n its('stdout.strip') { should cmp \"''\" }\n end \n end", "tags": { - "check_id": "C-94039r3_chk", - "severity": "high", - "gid": "V-94843", - "rid": "SV-104673r2_rule", - "stig_id": "RHEL-07-020231", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-100967r2_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id__added": "C-94039r3_chk", + "documentable__added": false, + "severity": { + "__old": null, + "__new": "high" + }, + "rid": { + "__old": "SV-104673r1_rule", + "__new": "SV-104673r2_rule" + }, + "fix_id": { + "__old": "F-100967r1_fix", + "__new": "F-100967r2_fix" + } }, "refs": [ [ + "+", "DPMS Target Red Hat 7" ] ], - "id": [ - "V-94843" - ], - "title": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.", - "desc": "[\"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false\"]", - "impact": 0.7, + "title": { + "__old": "The Red Hat Enterprise Linux operating system must be configured so\nthat the x86 Ctrl-Alt-Delete key sequence is disabled in the GUI.", + "__new": "The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface." + }, + "desc": { + "__old": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "__new": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken." + }, + "impact": { + "__old": 0, + "__new": 0.7 + }, "descs": { - "check": "Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf \"logout\" is not set to use two single quotations, or is missing, this is a finding.", - "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:\n\n# touch /etc/dconf/db/local.d/00-disable-CAD \n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''" + "default__deleted": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In the GNOME graphical\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.", + "rationale__deleted": "", + "check": { + "__old": "Verify the operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\n Check that the ctrl-alt-del.target is masked and not active in the GUI with\nthe following command:\n\n # grep logout /etc/dconf/local.d/*\n\n logout=''\n\n If \"logout\" is not set to use two single quotations, or is missing, this\nis a finding.", + "__new": "Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:\n\n# grep logout /etc/dconf/db/local.d/*\n\nlogout=''\n\nIf \"logout\" is not set to use two single quotations, or is missing, this is a finding." + }, + "fix": { + "__old": "Configure the system to disable the Ctrl-Alt-Delete sequence for the GUI\nwith the following command:\n\n # touch /etc/dconf/db/local.d/00-disable-CAD\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for GNOME:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''", + "__new": "Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:\n\n# touch /etc/dconf/db/local.d/00-disable-CAD \n\nAdd the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''" + } } } - }, - "changedControls": {} + } } } \ No newline at end of file diff --git a/test/sample_data/diffs/RHEL8_V1R2_V1R3.json b/test/sample_data/diffs/RHEL8_V1R2_V1R3.json index 389c76b..c645d8d 100644 --- a/test/sample_data/diffs/RHEL8_V1R2_V1R3.json +++ b/test/sample_data/diffs/RHEL8_V1R2_V1R3.json @@ -1,125 +1,392 @@ { "ignoreFormattingDiff": { "addedControlIDs": [ - [ - "V-244519" - ], - [ - "V-244520" - ], - [ - "V-244521" - ], - [ - "V-244522" - ], - [ - "V-244523" - ], - [ - "V-244524" - ], - [ - "V-244525" - ], - [ - "V-244526" - ], - [ - "V-244527" - ], - [ - "V-244528" - ], - [ - "V-244529" - ], - [ - "V-244530" - ], - [ - "V-244531" - ], - [ - "V-244532" - ], - [ - "V-244533" - ], - [ - "V-244534" - ], - [ - "V-244535" - ], - [ - "V-244536" - ], - [ - "V-244537" - ], - [ - "V-244538" - ], - [ - "V-244539" - ], - [ - "V-244540" - ], - [ - "V-244541" - ], - [ - "V-244542" - ], - [ - "V-244543" - ], - [ - "V-244544" - ], - [ - "V-244545" - ], - [ - "V-244546" - ], - [ - "V-244547" - ], - [ - "V-244548" - ], - [ - "V-244549" - ], - [ - "V-244550" - ], - [ - "V-244551" - ], - [ - "V-244552" - ], - [ - "V-244553" - ], - [ - "V-244554" - ], - [ - "V-245540" - ] + "V-244519", + "V-244520", + "V-244521", + "V-244522", + "V-244523", + "V-244524", + "V-244525", + "V-244526", + "V-244527", + "V-244528", + "V-244529", + "V-244530", + "V-244531", + "V-244532", + "V-244533", + "V-244534", + "V-244535", + "V-244536", + "V-244537", + "V-244538", + "V-244539", + "V-244540", + "V-244541", + "V-244542", + "V-244543", + "V-244544", + "V-244545", + "V-244546", + "V-244547", + "V-244548", + "V-244549", + "V-244550", + "V-244551", + "V-244552", + "V-244553", + "V-244554", + "V-245540" ], "removedControlIDs": [ - [ - "V-230528" - ] + "V-230528" ], "renamedControlIDs": {}, - "changedControlIDs": [], + "changedControlIDs": [ + "V-230221", + "V-230222", + "V-230223", + "V-230224", + "V-230225", + "V-230226", + "V-230227", + "V-230228", + "V-230229", + "V-230230", + "V-230231", + "V-230232", + "V-230233", + "V-230234", + "V-230235", + "V-230236", + "V-230237", + "V-230238", + "V-230239", + "V-230240", + "V-230241", + "V-230242", + "V-230243", + "V-230244", + "V-230245", + "V-230246", + "V-230247", + "V-230248", + "V-230249", + "V-230250", + "V-230251", + "V-230252", + "V-230253", + "V-230254", + "V-230255", + "V-230256", + "V-230257", + "V-230258", + "V-230259", + "V-230260", + "V-230261", + "V-230262", + "V-230263", + "V-230264", + "V-230265", + "V-230266", + "V-230267", + "V-230268", + "V-230269", + "V-230270", + "V-230271", + "V-230272", + "V-230273", + "V-230274", + "V-230275", + "V-230276", + "V-230277", + "V-230278", + "V-230279", + "V-230280", + "V-230281", + "V-230282", + "V-230283", + "V-230284", + "V-230285", + "V-230286", + "V-230287", + "V-230288", + "V-230289", + "V-230290", + "V-230291", + "V-230292", + "V-230293", + "V-230294", + "V-230295", + "V-230296", + "V-230297", + "V-230298", + "V-230299", + "V-230300", + "V-230301", + "V-230302", + "V-230303", + "V-230304", + "V-230305", + "V-230306", + "V-230307", + "V-230308", + "V-230309", + "V-230310", + "V-230311", + "V-230312", + "V-230313", + "V-230314", + "V-230315", + "V-230316", + "V-230317", + "V-230318", + "V-230319", + "V-230320", + "V-230321", + "V-230322", + "V-230323", + "V-230324", + "V-230325", + "V-230326", + "V-230327", + "V-230328", + "V-230329", + "V-230330", + "V-230331", + "V-230332", + "V-230333", + "V-230334", + "V-230335", + "V-230336", + "V-230337", + "V-230338", + "V-230339", + "V-230340", + "V-230341", + "V-230342", + "V-230343", + "V-230344", + "V-230345", + "V-230346", + "V-230347", + "V-230348", + "V-230349", + "V-230350", + "V-230351", + "V-230352", + "V-230353", + "V-230354", + "V-230355", + "V-230356", + "V-230357", + "V-230358", + "V-230359", + "V-230360", + "V-230361", + "V-230362", + "V-230363", + "V-230364", + "V-230365", + "V-230366", + "V-230367", + "V-230368", + "V-230369", + "V-230370", + "V-230371", + "V-230372", + "V-230373", + "V-230374", + "V-230375", + "V-230376", + "V-230377", + "V-230378", + "V-230379", + "V-230380", + "V-230381", + "V-230382", + "V-230383", + "V-230384", + "V-230385", + "V-230386", + "V-230387", + "V-230388", + "V-230389", + "V-230390", + "V-230391", + "V-230392", + "V-230393", + "V-230394", + "V-230395", + "V-230396", + "V-230397", + "V-230398", + "V-230399", + "V-230400", + "V-230401", + "V-230402", + "V-230403", + "V-230404", + "V-230405", + "V-230406", + "V-230407", + "V-230408", + "V-230409", + "V-230410", + "V-230411", + "V-230412", + "V-230413", + "V-230414", + "V-230415", + "V-230416", + "V-230417", + "V-230418", + "V-230419", + "V-230420", + "V-230421", + "V-230422", + "V-230423", + "V-230424", + "V-230425", + "V-230426", + "V-230427", + "V-230428", + "V-230429", + "V-230430", + "V-230431", + "V-230432", + "V-230433", + "V-230434", + "V-230435", + "V-230436", + "V-230437", + "V-230438", + "V-230439", + "V-230440", + "V-230441", + "V-230442", + "V-230443", + "V-230444", + "V-230445", + "V-230446", + "V-230447", + "V-230448", + "V-230449", + "V-230450", + "V-230451", + "V-230452", + "V-230453", + "V-230454", + "V-230455", + "V-230456", + "V-230457", + "V-230458", + "V-230459", + "V-230460", + "V-230461", + "V-230462", + "V-230463", + "V-230464", + "V-230465", + "V-230466", + "V-230467", + "V-230468", + "V-230469", + "V-230470", + "V-230471", + "V-230472", + "V-230473", + "V-230474", + "V-230475", + "V-230476", + "V-230477", + "V-230478", + "V-230479", + "V-230480", + "V-230481", + "V-230482", + "V-230483", + "V-230484", + "V-230485", + "V-230486", + "V-230487", + "V-230488", + "V-230489", + "V-230491", + "V-230492", + "V-230493", + "V-230494", + "V-230495", + "V-230496", + "V-230497", + "V-230498", + "V-230499", + "V-230500", + "V-230502", + "V-230503", + "V-230504", + "V-230505", + "V-230506", + "V-230507", + "V-230508", + "V-230509", + "V-230510", + "V-230511", + "V-230512", + "V-230513", + "V-230514", + "V-230515", + "V-230516", + "V-230517", + "V-230518", + "V-230519", + "V-230520", + "V-230521", + "V-230522", + "V-230523", + "V-230524", + "V-230525", + "V-230526", + "V-230527", + "V-230529", + "V-230530", + "V-230531", + "V-230532", + "V-230533", + "V-230534", + "V-230535", + "V-230536", + "V-230537", + "V-230538", + "V-230539", + "V-230540", + "V-230541", + "V-230542", + "V-230543", + "V-230544", + "V-230545", + "V-230546", + "V-230547", + "V-230548", + "V-230549", + "V-230550", + "V-230551", + "V-230552", + "V-230553", + "V-230554", + "V-230555", + "V-230556", + "V-230557", + "V-230558", + "V-230559", + "V-230560", + "V-230561", + "V-237640", + "V-237641", + "V-237642", + "V-237643" + ], "addedControls": { "V-244519": { "tags": { @@ -130,6 +397,11 @@ "stig_id": "RHEL-08-010049", "gtitle": "SRG-OS-000023-GPOS-00006", "fix_id": "F-47751r743805_fix", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "documentable": false, "cci": [ "CCI-000048" ], @@ -138,15 +410,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244519" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244519", "title": "RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088false\"]", + "desc": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\n", "impact": 0.5, "descs": { "check": "Verify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n$ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", @@ -162,6 +430,7 @@ "stig_id": "RHEL-08-010131", "gtitle": "SRG-OS-000073-GPOS-00041", "fix_id": "F-47752r743808_fix", + "documentable": false, "cci": [ "CCI-000196" ], @@ -170,15 +439,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244520" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244520", "title": "The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.", - "desc": "[\"The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\\n\\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false\"]", + "desc": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.", "impact": 0.5, "descs": { "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n$ sudo grep rounds /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a finding.", @@ -194,6 +459,7 @@ "stig_id": "RHEL-08-010141", "gtitle": "SRG-OS-000080-GPOS-00048", "fix_id": "F-47753r743811_fix", + "documentable": false, "cci": [ "CCI-000213" ], @@ -202,15 +468,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244521" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244521", "title": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.", - "desc": "[\"If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.", "impact": 0.5, "descs": { "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", @@ -226,6 +488,7 @@ "stig_id": "RHEL-08-010149", "gtitle": "SRG-OS-000080-GPOS-00048", "fix_id": "F-47754r743814_fix", + "documentable": false, "cci": [ "CCI-000213" ], @@ -234,15 +497,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244522" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244522", "title": "RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.", "impact": 0.5, "descs": { "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", @@ -258,6 +517,7 @@ "stig_id": "RHEL-08-010152", "gtitle": "SRG-OS-000080-GPOS-00048", "fix_id": "F-47755r743817_fix", + "documentable": false, "cci": [ "CCI-000213" ], @@ -266,15 +526,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244523" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244523", "title": "RHEL 8 operating systems must require authentication upon booting into emergency mode.", - "desc": "[\"If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.false\"]", + "desc": "If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.", "impact": 0.5, "descs": { "check": "Check to see if the system requires authentication for emergency mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or missing, this is a finding.", @@ -290,6 +546,7 @@ "stig_id": "RHEL-08-010159", "gtitle": "SRG-OS-000120-GPOS-00061", "fix_id": "F-47756r743820_fix", + "documentable": false, "cci": [ "CCI-000803" ], @@ -298,15 +555,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244524" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244524", "title": "The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.", - "desc": "[\"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\\n\\nRHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \\n\\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.false\"]", + "desc": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nRHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.", "impact": 0.5, "descs": { "check": "Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", @@ -322,6 +575,12 @@ "stig_id": "RHEL-08-010201", "gtitle": "SRG-OS-000163-GPOS-00072", "fix_id": "F-47757r743823_fix", + "satisfies": [ + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000126-GPOS-00066", + "SRG-OS-000279-GPOS-00109" + ], + "documentable": false, "cci": [ "CCI-001133" ], @@ -330,15 +589,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244525" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244525", "title": "The RHEL 8 SSH daemon must be configured with a timeout interval.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \\\"ClientAliveInterval\\\" and \\\"ClientAliveCountMax\\\" are used to establish the inactivity threshold. The \\\"ClientAliveInterval\\\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \\\"ClientAliveCountMax\\\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109false\"]", + "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" are used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\n\n", "impact": 0.5, "descs": { "check": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.", @@ -354,6 +609,13 @@ "stig_id": "RHEL-08-010287", "gtitle": "SRG-OS-000250-GPOS-00093", "fix_id": "F-47758r743826_fix", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "documentable": false, "cci": [ "CCI-001453" ], @@ -362,15 +624,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244526" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244526", "title": "The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\\n\\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.\\n\\nSatisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065false\"]", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.\n\n", "impact": 0.5, "descs": { "check": "Verify that system-wide crypto policies are in effect:\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n\n# crypto_policy=\n\nIf the \"crypto_policy\" is uncommented, this is a finding.", @@ -386,6 +644,7 @@ "stig_id": "RHEL-08-010472", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47759r743829_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -394,15 +653,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244527" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244527", "title": "RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.", - "desc": "[\"The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \\n\\nThe rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).false\"]", + "desc": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).", "impact": 0.3, "descs": { "check": "Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ sudo yum list installed rng-tools\n\nrng-tools.x86_64 6.8-3.el8 @anaconda\n\nIf the \"rng-tools\" package is not installed, this is a finding.", @@ -418,6 +673,7 @@ "stig_id": "RHEL-08-010522", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47760r743832_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -426,15 +682,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244528" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244528", "title": "The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.", "impact": 0.5, "descs": { "check": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.", @@ -450,6 +702,7 @@ "stig_id": "RHEL-08-010544", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47761r743835_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -458,15 +711,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244529" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244529", "title": "RHEL 8 must use a separate file system for /var/tmp.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.", "impact": 0.5, "descs": { "check": "Verify that a separate file system/partition has been created for \"/var/tmp\".\n\nCheck that a file system/partition has been created for \"/var/tmp\" with the following command:\n\n$ sudo grep /var/tmp /etc/fstab\n\nUUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.", @@ -482,6 +731,7 @@ "stig_id": "RHEL-08-010572", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47762r743838_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -490,15 +740,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244530" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244530", "title": "RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system not to execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", + "desc": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.", "impact": 0.5, "descs": { "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.", @@ -514,6 +760,7 @@ "stig_id": "RHEL-08-010731", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47763r743841_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -522,15 +769,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244531" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244531", "title": "All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.", - "desc": "[\"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.false\"]", + "desc": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.", "impact": 0.5, "descs": { "check": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files or directories are found with a mode more permissive than \"0750\", this is a finding.", @@ -546,6 +789,7 @@ "stig_id": "RHEL-08-010741", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47764r743844_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -554,15 +798,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244532" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244532", "title": "RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.", - "desc": "[\"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.false\"]", + "desc": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.", "impact": 0.5, "descs": { "check": "Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command:\n\n$ sudo grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.", @@ -578,6 +818,11 @@ "stig_id": "RHEL-08-020025", "gtitle": "SRG-OS-000021-GPOS-00005", "fix_id": "F-47765r743847_fix", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "documentable": false, "cci": [ "CCI-000044" ], @@ -586,15 +831,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244533" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244533", "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\\n\\nIn RHEL 8.2 the \\\"/etc/security/faillock.conf\\\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \\\"local_users_only\\\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\\n\\nFrom \\\"faillock.conf\\\" man pages: Note that the default directory that \\\"pam_faillock\\\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \\\"dir\\\" option.\\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\\n\\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false\"]", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\n\n", "impact": 0.5, "descs": { "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", @@ -610,6 +851,11 @@ "stig_id": "RHEL-08-020026", "gtitle": "SRG-OS-000021-GPOS-00005", "fix_id": "F-47766r743850_fix", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "documentable": false, "cci": [ "CCI-000044" ], @@ -618,15 +864,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244534" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244534", "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\\n\\nIn RHEL 8.2 the \\\"/etc/security/faillock.conf\\\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \\\"local_users_only\\\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\\n\\nFrom \\\"faillock.conf\\\" man pages: Note that the default directory that \\\"pam_faillock\\\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \\\"dir\\\" option.\\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\\n\\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false\"]", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\n\n", "impact": 0.5, "descs": { "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/password-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", @@ -642,6 +884,12 @@ "stig_id": "RHEL-08-020031", "gtitle": "SRG-OS-000029-GPOS-00010", "fix_id": "F-47767r743853_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, "cci": [ "CCI-000057" ], @@ -650,15 +898,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244535" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244535", "title": "RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\nuint32 5\n\nIf the \"uint32\" setting is missing, or is not set to \"5\" or less, this is a finding.", @@ -674,6 +918,7 @@ "stig_id": "RHEL-08-020032", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47768r743856_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -682,15 +927,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244536" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244536", "title": "RHEL 8 must disable the user list at logon for graphical user interfaces.", - "desc": "[\"Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.false\"]", + "desc": "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.", "impact": 0.5, "descs": { "check": "Verify the operating system disables the user logon list for graphical user interfaces with the following command:\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.login-screen disable-user-list\ntrue\n\nIf the setting is \"false\", this is a finding.", @@ -706,6 +947,11 @@ "stig_id": "RHEL-08-020039", "gtitle": "SRG-OS-000028-GPOS-00009", "fix_id": "F-47769r743859_fix", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" + ], + "documentable": false, "cci": [ "CCI-000056" ], @@ -714,15 +960,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244537" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244537", "title": "RHEL 8 must have the tmux package installed.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\\n\\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false\"]", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\n", "impact": 0.5, "descs": { "check": "Verify RHEL 8 has the \"tmux\" package installed, by running the following command:\n\n$ sudo yum list installed tmux\n\ntmux.x86.64 2.7-1.el8 @repository\n\nIf \"tmux\" is not installed, this is a finding.", @@ -738,6 +980,12 @@ "stig_id": "RHEL-08-020081", "gtitle": "SRG-OS-000029-GPOS-00010", "fix_id": "F-47770r743862_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, "cci": [ "CCI-000057" ], @@ -746,15 +994,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244538" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244538", "title": "RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\\n\\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\n\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return at least the example result, this is a finding.", @@ -770,6 +1014,12 @@ "stig_id": "RHEL-08-020082", "gtitle": "SRG-OS-000029-GPOS-00010", "fix_id": "F-47771r743865_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, "cci": [ "CCI-000057" ], @@ -778,15 +1028,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244539" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244539", "title": "RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\\n\\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\n\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\n\n", "impact": 0.5, "descs": { "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return at least the example result, this is a finding.", @@ -802,6 +1048,7 @@ "stig_id": "RHEL-08-020331", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47772r743868_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -810,15 +1057,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244540" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244540", "title": "RHEL 8 must not allow blank or null passwords in the system-auth file.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", "impact": 0.7, "descs": { "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.", @@ -834,6 +1077,7 @@ "stig_id": "RHEL-08-020332", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47773r743871_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -842,15 +1086,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244541" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244541", "title": "RHEL 8 must not allow blank or null passwords in the password-auth file.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", "impact": 0.7, "descs": { "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.", @@ -866,6 +1106,33 @@ "stig_id": "RHEL-08-030181", "gtitle": "SRG-OS-000062-GPOS-00031", "fix_id": "F-47774r743874_fix", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000358-GPOS-00145", + "SRG-OS-000365-GPOS-00152", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000475-GPOS-00220" + ], + "documentable": false, "cci": [ "CCI-000169" ], @@ -874,15 +1141,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244542" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244542", "title": "RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.", - "desc": "[\"Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\\n\\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\\n\\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\\n\\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false\"]", + "desc": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\n", "impact": 0.5, "descs": { "check": "Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service.\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", @@ -898,6 +1161,7 @@ "stig_id": "RHEL-08-030731", "gtitle": "SRG-OS-000343-GPOS-00134", "fix_id": "F-47775r743877_fix", + "documentable": false, "cci": [ "CCI-001855" ], @@ -906,15 +1170,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244543" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244543", "title": "RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.", - "desc": "[\"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.false\"]", + "desc": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep -w space_left_action /etc/audit/auditd.conf\n\nspace_left_action = email\n\nIf the value of the \"space_left_action\" is not set to \"email\", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", @@ -930,6 +1190,7 @@ "stig_id": "RHEL-08-040101", "gtitle": "SRG-OS-000297-GPOS-00115", "fix_id": "F-47776r743880_fix", + "documentable": false, "cci": [ "CCI-002314" ], @@ -938,15 +1199,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244544" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244544", "title": "A firewall must be active on RHEL 8.", - "desc": "[\"\\\"Firewalld\\\" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.\\n\\nRemote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\nRHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).false\"]", + "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.\n\nRemote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\nRHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", "impact": 0.5, "descs": { "check": "Verify that \"firewalld\" is active with the following commands:\n\n$ sudo systemctl is-active firewalld\n\nactive\n\nIf the \"firewalld\" package is not \"active\", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.", @@ -962,6 +1219,12 @@ "stig_id": "RHEL-08-040136", "gtitle": "SRG-OS-000368-GPOS-00154", "fix_id": "F-47777r743883_fix", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "documentable": false, "cci": [ "CCI-001764" ], @@ -970,15 +1233,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244545" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244545", "title": "The RHEL 8 fapolicy module must be enabled.", - "desc": "[\"The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\\n\\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\\n\\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\\n\\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \\\"fapolicyd\\\". \\\"fapolicyd\\\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\\n\\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \\\"fapolicyd\\\" API is not namespace aware and can cause issues when launching or running containers.\\n\\nSatisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232false\"]", + "desc": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n", "impact": 0.5, "descs": { "check": "Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following command:\n\n$ sudo systemctl status fapolicyd.service\n\nfapolicyd.service - File Access Policy Daemon\nLoaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf fapolicyd is not enabled and running, this is a finding.", @@ -994,6 +1253,12 @@ "stig_id": "RHEL-08-040137", "gtitle": "SRG-OS-000368-GPOS-00154", "fix_id": "F-47778r743886_fix", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "documentable": false, "cci": [ "CCI-001764" ], @@ -1002,15 +1267,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244546" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244546", "title": "The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", - "desc": "[\"The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\\n\\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\\n\\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\\n\\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \\\"fapolicyd\\\". \\\"fapolicyd\\\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\\n\\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \\\"fapolicyd\\\" API is not namespace aware and can cause issues when launching or running containers.\\n\\nSatisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232false\"]", + "desc": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n", "impact": 0.5, "descs": { "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\n$ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n/dev/shm\n/run\n/sys/fs/cgroup\n/\n/home\n/boot\n/run/user/42\n/run/user/1000\n\nIf fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.", @@ -1026,6 +1287,7 @@ "stig_id": "RHEL-08-040139", "gtitle": "SRG-OS-000378-GPOS-00163", "fix_id": "F-47779r743889_fix", + "documentable": false, "cci": [ "CCI-001958" ], @@ -1034,15 +1296,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244547" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244547", "title": "RHEL 8 must have the USBGuard installed.", - "desc": "[\"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\\n\\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.false\"]", + "desc": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\n\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.", "impact": 0.5, "descs": { "check": "Verify USBGuard is installed on the operating system with the following command:\n\n$ sudo yum list installed usbguard\n\nInstalled Packages\nusbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\nIf the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", @@ -1058,6 +1316,7 @@ "stig_id": "RHEL-08-040141", "gtitle": "SRG-OS-000378-GPOS-00163", "fix_id": "F-47780r743892_fix", + "documentable": false, "cci": [ "CCI-001958" ], @@ -1066,15 +1325,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244548" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244548", "title": "RHEL 8 must enable the USBGuard.", - "desc": "[\"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\\n\\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\\n\\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\\n\\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.false\"]", + "desc": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\n\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\n\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.", "impact": 0.5, "descs": { "check": "Verify the operating system has enabled the use of the USBGuard with the following command:\n\n$ sudo systemctl status usbguard.service\n\nusbguard.service - USBGuard daemon\nLoaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", @@ -1090,6 +1345,13 @@ "stig_id": "RHEL-08-040159", "gtitle": "SRG-OS-000423-GPOS-00187", "fix_id": "F-47781r743895_fix", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "documentable": false, "cci": [ "CCI-002418" ], @@ -1098,15 +1360,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244549" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244549", "title": "All RHEL 8 networked systems must have SSH installed.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190false\"]", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\n", "impact": 0.5, "descs": { "check": "Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.", @@ -1122,6 +1380,7 @@ "stig_id": "RHEL-08-040209", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47782r743898_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1130,15 +1389,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244550" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244550", "title": "RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", @@ -1154,6 +1409,7 @@ "stig_id": "RHEL-08-040239", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47783r743901_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1162,15 +1418,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244551" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244551", "title": "RHEL 8 must not forward IPv4 source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false\"]", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", @@ -1186,6 +1438,7 @@ "stig_id": "RHEL-08-040249", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47784r743904_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1194,15 +1447,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244552" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244552", "title": "RHEL 8 must not forward IPv4 source-routed packets by default.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false\"]", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", @@ -1218,6 +1467,7 @@ "stig_id": "RHEL-08-040279", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47785r743907_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1226,15 +1476,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244553" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244553", "title": "RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", @@ -1250,6 +1496,7 @@ "stig_id": "RHEL-08-040286", "gtitle": "SRG-OS-000480-GPOS-00227", "fix_id": "F-47786r743910_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1258,15 +1505,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244554" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-244554", "title": "RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \\\"2\\\" enables JIT hardening for all users.false\"]", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.", "impact": 0.5, "descs": { "check": "Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.", @@ -1282,6 +1525,7 @@ "stig_id": "RHEL-08-010001", "gtitle": "SRG-OS-000191-GPOS-00080", "fix_id": "F-48770r754729_fix", + "documentable": false, "cci": [ "CCI-001233" ], @@ -1290,15 +1534,11 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-245540" + "DPMS Target Red Hat Enterprise Linux 8" ], + "id": "V-245540", "title": "The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.", - "desc": "[\"Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.false\"]", + "desc": "Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.", "impact": 0.5, "descs": { "check": "Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nProcedure:\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", @@ -1306,427 +1546,2241 @@ } } }, - "changedControls": {} - }, - "rawDiff": { - "addedControlIDs": [ - [ - "V-244519" - ], - [ - "V-244520" - ], - [ - "V-244521" - ], - [ - "V-244522" - ], - [ - "V-244523" - ], - [ - "V-244524" - ], - [ - "V-244525" - ], - [ - "V-244526" - ], - [ - "V-244527" - ], - [ - "V-244528" - ], - [ - "V-244529" - ], - [ - "V-244530" - ], - [ - "V-244531" - ], - [ - "V-244532" - ], - [ - "V-244533" - ], - [ - "V-244534" - ], - [ - "V-244535" - ], - [ - "V-244536" - ], - [ - "V-244537" - ], - [ - "V-244538" - ], - [ - "V-244539" - ], - [ - "V-244540" - ], - [ - "V-244541" - ], - [ - "V-244542" - ], - [ - "V-244543" - ], - [ - "V-244544" - ], - [ - "V-244545" - ], - [ - "V-244546" - ], - [ - "V-244547" - ], - [ - "V-244548" - ], - [ - "V-244549" - ], - [ - "V-244550" - ], - [ - "V-244551" - ], - [ - "V-244552" - ], - [ - "V-244553" - ], - [ - "V-244554" - ], - [ - "V-245540" - ] - ], - "removedControlIDs": [ - [ - "V-230528" - ] - ], - "renamedControlIDs": {}, - "changedControlIDs": [], - "addedControls": { - "V-244519": { + "changedControls": { + "V-230221": { "tags": { - "check_id": "C-47794r743804_chk", - "severity": "medium", - "gid": "V-244519", - "rid": "SV-244519r743806_rule", - "stig_id": "RHEL-08-010049", - "gtitle": "SRG-OS-000023-GPOS-00006", - "fix_id": "F-47751r743805_fix", - "cci": [ - "CCI-000048" - ], - "nist": [ - "AC-8 a" - ] + "check_id": "C-32890r743912_chk", + "rid": "SV-230221r743913_rule" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244519" - ], - "title": "RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.", - "desc": "[\"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088false\"]", - "impact": 0.5, + "desc": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.", "descs": { - "check": "Verify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n$ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", - "fix": "Configure the operating system to display a banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nRun the following command to update the database:\n\n$ sudo dconf update" + "check": "Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.4 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 30 April 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 30 April 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 30 April 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 30 April 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 30 April 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding." } }, - "V-244520": { + "V-230222": {}, + "V-230223": {}, + "V-230224": {}, + "V-230225": {}, + "V-230226": { "tags": { - "check_id": "C-47795r743807_chk", - "severity": "medium", - "gid": "V-244520", - "rid": "SV-244520r743809_rule", - "stig_id": "RHEL-08-010131", - "gtitle": "SRG-OS-000073-GPOS-00041", - "fix_id": "F-47752r743808_fix", - "cci": [ - "CCI-000196" - ], - "nist": [ - "IA-5 (1) (c)" - ] + "check_id": "C-32895r743914_chk", + "rid": "SV-230226r743916_rule", + "fix_id": "F-32870r743915_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244520" - ], - "title": "The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.", - "desc": "[\"The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\\n\\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false\"]", - "impact": 0.5, "descs": { - "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n$ sudo grep rounds /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"etc/pam.d/system-auth\" file and set \"rounds\" to a value no lower than \"5000\":\n\npassword sufficient pam_unix.so sha512 rounds=5000" + "check": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "fix": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n$ sudo dconf update" } }, - "V-244521": { + "V-230227": {}, + "V-230228": {}, + "V-230229": {}, + "V-230230": {}, + "V-230231": {}, + "V-230232": {}, + "V-230233": { "tags": { - "check_id": "C-47796r743810_chk", - "severity": "medium", - "gid": "V-244521", - "rid": "SV-244521r743812_rule", - "stig_id": "RHEL-08-010141", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-47753r743811_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id": "C-32902r743917_chk", + "rid": "SV-230233r743919_rule", + "fix_id": "F-32877r743918_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244521" - ], - "title": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.", - "desc": "[\"If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.5, + "title": "The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds.", "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" + "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n$ sudo grep rounds /etc/pam.d/password-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file and set \"rounds\" to a value no lower than \"5000\":\n\npassword sufficient pam_unix.so sha512 rounds=5000" } }, - "V-244522": { + "V-230234": { "tags": { - "check_id": "C-47797r743813_chk", - "severity": "medium", - "gid": "V-244522", - "rid": "SV-244522r743815_rule", - "stig_id": "RHEL-08-010149", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-47754r743814_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id": "C-32903r743920_chk", + "rid": "SV-230234r743922_rule", + "fix_id": "F-32878r743921_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244522" - ], - "title": "RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", - "desc": "[\"If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.false\"]", - "impact": 0.5, + "title": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.", "descs": { - "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", - "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" + "check": "For systems that use BIOS, this is Not Applicable.\n\nCheck to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n\n$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", + "fix": "Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n\nGenerate an encrypted grub2 password for the grub superusers account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:" } }, - "V-244523": { + "V-230235": { "tags": { - "check_id": "C-47798r743816_chk", - "severity": "medium", - "gid": "V-244523", - "rid": "SV-244523r743818_rule", - "stig_id": "RHEL-08-010152", - "gtitle": "SRG-OS-000080-GPOS-00048", - "fix_id": "F-47755r743817_fix", - "cci": [ - "CCI-000213" - ], - "nist": [ - "AC-3" - ] + "check_id": "C-32904r743923_chk", + "rid": "SV-230235r743925_rule", + "fix_id": "F-32879r743924_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244523" - ], - "title": "RHEL 8 operating systems must require authentication upon booting into emergency mode.", - "desc": "[\"If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.false\"]", - "impact": 0.5, "descs": { - "check": "Check to see if the system requires authentication for emergency mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or missing, this is a finding.", - "fix": "Configure the system to require authentication upon booting into emergency mode by adding the following line to the \"/usr/lib/systemd/system/emergency.service\" file.\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" + "check": "For systems that use UEFI, this is Not Applicable.\n\nCheck to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n\n$ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding.", + "fix": "Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n\nGenerate an encrypted grub2 password for the grub superusers account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:" } }, - "V-244524": { + "V-230236": { "tags": { - "check_id": "C-47799r743819_chk", - "severity": "medium", - "gid": "V-244524", - "rid": "SV-244524r743821_rule", - "stig_id": "RHEL-08-010159", - "gtitle": "SRG-OS-000120-GPOS-00061", - "fix_id": "F-47756r743820_fix", - "cci": [ - "CCI-000803" - ], - "nist": [ - "IA-7" - ] + "check_id": "C-32905r743926_chk", + "rid": "SV-230236r743928_rule", + "fix_id": "F-32880r743927_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244524" - ], - "title": "The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.", - "desc": "[\"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\\n\\nRHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \\n\\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.false\"]", - "impact": 0.5, + "title": "RHEL 8 operating systems must require authentication upon booting into rescue mode.", "descs": { - "check": "Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512 rounds=5000" + "check": "Check to see if the system requires authentication for rescue mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing, this is a finding.", + "fix": "Configure the system to require authentication upon booting into rescue mode by adding the following line to the \"/usr/lib/systemd/system/rescue.service\" file.\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" } }, - "V-244525": { + "V-230237": { "tags": { - "check_id": "C-47800r743822_chk", - "severity": "medium", - "gid": "V-244525", - "rid": "SV-244525r743824_rule", - "stig_id": "RHEL-08-010201", - "gtitle": "SRG-OS-000163-GPOS-00072", - "fix_id": "F-47757r743823_fix", - "cci": [ - "CCI-001133" - ], - "nist": [ - "SC-10" - ] + "check_id": "C-32906r743929_chk", + "rid": "SV-230237r743931_rule", + "fix_id": "F-32881r743930_fix" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244525" - ], - "title": "The RHEL 8 SSH daemon must be configured with a timeout interval.", - "desc": "[\"Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\\n\\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\\n\\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \\\"ClientAliveInterval\\\" and \\\"ClientAliveCountMax\\\" are used to establish the inactivity threshold. The \\\"ClientAliveInterval\\\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \\\"ClientAliveCountMax\\\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\\n\\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109false\"]", - "impact": 0.5, + "title": "The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.", "descs": { - "check": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.", - "fix": "Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveInterval 600\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n$ sudo systemctl restart sshd.service" + "check": "Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512 rounds=5000" } }, - "V-244526": { + "V-230238": {}, + "V-230239": {}, + "V-230240": {}, + "V-230241": {}, + "V-230242": {}, + "V-230243": {}, + "V-230244": { "tags": { - "check_id": "C-47801r743825_chk", - "severity": "medium", - "gid": "V-244526", - "rid": "SV-244526r743827_rule", - "stig_id": "RHEL-08-010287", + "check_id": "C-32913r743932_chk", + "rid": "SV-230244r743934_rule", + "fix_id": "F-32888r743933_fix" + }, + "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" are used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\n\n", + "descs": { + "check": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveCountMax\" is set to \"0\" by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"0\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveCountMax 0\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-230245": {}, + "V-230246": {}, + "V-230247": {}, + "V-230248": {}, + "V-230249": {}, + "V-230250": {}, + "V-230251": { + "tags": { + "check_id": "C-32920r743935_chk", + "rid": "SV-230251r743937_rule", + "fix_id": "F-32895r743936_fix" + }, + "title": "The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.\n\n", + "descs": { + "check": "Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n-oMACS=hmac-sha2-512,hmac-sha2-256\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than \"hmac-sha2-512\" and \"hmac-sha2-256\", the order differs from the example above, they are missing, or commented out, this is a finding.", + "fix": "Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oMACS=hmac-sha2-512,hmac-sha2-256\n\nA reboot is required for the changes to take effect." + } + }, + "V-230252": { + "tags": { + "check_id": "C-32921r743938_chk", + "rid": "SV-230252r743940_rule", + "fix_id": "F-32896r743939_fix" + }, + "title": "The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.\n\n", + "descs": { + "check": "Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\nCRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than \"aes256-ctr,aes192-ctr,aes128-ctr\", the order differs from the example above, they are missing, or commented out, this is a finding.", + "fix": "Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr\n\nA reboot is required for the changes to take effect." + } + }, + "V-230253": {}, + "V-230254": {}, + "V-230255": {}, + "V-230256": {}, + "V-230257": {}, + "V-230258": {}, + "V-230259": {}, + "V-230260": {}, + "V-230261": {}, + "V-230262": {}, + "V-230263": {}, + "V-230264": {}, + "V-230265": {}, + "V-230266": {}, + "V-230267": {}, + "V-230268": {}, + "V-230269": {}, + "V-230270": {}, + "V-230271": {}, + "V-230272": {}, + "V-230273": { + "tags": { + "check_id": "C-32942r743941_chk", + "rid": "SV-230273r743943_rule", + "fix_id": "F-32917r743942_fix" + }, + "descs": { + "check": "Verify the operating system has the packages required for multifactor authentication installed with the following commands:\n\n$ sudo yum list installed openssl-pkcs11\n\nopenssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\nIf the \"openssl-pkcs11\" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.", + "fix": "Configure the operating system to implement multifactor authentication by installing the required package with the following command:\n\n$ sudo yum install openssl-pkcs11" + } + }, + "V-230274": { + "tags": { + "check_id": "C-32943r743944_chk", + "rid": "SV-230274r743945_rule" + }, + "descs": { + "check": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding." + } + }, + "V-230275": {}, + "V-230276": {}, + "V-230277": {}, + "V-230278": { + "tags": { + "check_id": "C-32947r743946_chk", + "rid": "SV-230278r743948_rule", + "fix_id": "F-32922r743947_fix" + }, + "desc": "Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.\n\nVirtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly.\n\n", + "descs": { + "check": "Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv - list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates: \n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command:\n\n$ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"" + } + }, + "V-230279": {}, + "V-230280": {}, + "V-230281": {}, + "V-230282": {}, + "V-230283": {}, + "V-230284": {}, + "V-230285": {}, + "V-230286": {}, + "V-230287": { + "tags": { + "check_id": "C-32956r743949_chk", + "rid": "SV-230287r743951_rule", + "fix_id": "F-32931r743950_fix" + }, + "title": "The RHEL 8 SSH private host key files must have mode 0600 or less permissive.", + "descs": { + "check": "Verify the SSH private host key files have mode \"0600\" or less permissive with the following command:\n\n$ sudo ls -l /etc/ssh/ssh_host*key\n\n-rw------- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0600\", this is a finding.", + "fix": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0600\" with the following command:\n\n$ sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-230288": {}, + "V-230289": { + "tags": { + "check_id": "C-32958r743952_chk", + "rid": "SV-230289r743954_rule", + "fix_id": "F-32933r743953_fix" + }, + "descs": { + "check": "Verify the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n$ sudo grep -i compression /etc/ssh/sshd_config\n\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", + "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect." + } + }, + "V-230290": {}, + "V-230291": { + "tags": { + "check_id": "C-32960r743955_chk", + "rid": "SV-230291r743957_rule", + "fix_id": "F-32935r743956_fix" + }, + "title": "The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.", + "descs": { + "check": "Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.", + "fix": "Configure the SSH daemon to not allow Kerberos authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-230292": {}, + "V-230293": {}, + "V-230294": {}, + "V-230295": {}, + "V-230296": {}, + "V-230297": {}, + "V-230298": {}, + "V-230299": {}, + "V-230300": { + "tags": { + "check_id": "C-32969r743958_chk", + "rid": "SV-230300r743959_rule" + }, + "descs": { + "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify the /boot directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot\\s'\n\n/dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot file system does not have the \"nosuid\" option set, this is a finding." + } + }, + "V-230301": {}, + "V-230302": {}, + "V-230303": {}, + "V-230304": {}, + "V-230305": {}, + "V-230306": {}, + "V-230307": {}, + "V-230308": {}, + "V-230309": {}, + "V-230310": {}, + "V-230311": {}, + "V-230312": {}, + "V-230313": {}, + "V-230314": {}, + "V-230315": {}, + "V-230316": {}, + "V-230317": {}, + "V-230318": { + "tags": { + "rid": "SV-230318r743960_rule" + }, + "title": "All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.", + "desc": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access." + }, + "V-230319": { + "tags": { + "rid": "SV-230319r743961_rule" + }, + "desc": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access." + }, + "V-230320": {}, + "V-230321": {}, + "V-230322": { + "tags": { + "check_id": "C-32991r743962_chk", + "rid": "SV-230322r743963_rule" + }, + "descs": { + "check": "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n$ sudo grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group\n\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding." + } + }, + "V-230323": {}, + "V-230324": {}, + "V-230325": {}, + "V-230326": {}, + "V-230327": {}, + "V-230328": {}, + "V-230329": {}, + "V-230330": {}, + "V-230331": {}, + "V-230332": {}, + "V-230333": { + "tags": { + "check_id": "C-33002r743964_chk", + "rid": "SV-230333r743966_rule", + "fix_id": "F-32977r743965_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts:\n\n$ sudo grep 'deny =' /etc/security/faillock.conf\n\ndeny = 3\n\nIf the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndeny = 3" + } + }, + "V-230334": {}, + "V-230335": { + "tags": { + "check_id": "C-33004r743967_chk", + "rid": "SV-230335r743969_rule", + "fix_id": "F-32979r743968_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes:\n\n$ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\nfail_interval = 900\n\nIf the \"fail_interval\" option is not set to \"900\" or more, is missing or commented out, this is a finding.", + "fix": "Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nfail_interval = 900" + } + }, + "V-230336": {}, + "V-230337": { + "tags": { + "check_id": "C-33006r743970_chk", + "rid": "SV-230337r743972_rule", + "fix_id": "F-32981r743971_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts:\n\n$ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\nunlock_time = 0\n\nIf the \"unlock_time\" option is not set to \"0\", is missing or commented out, this is a finding.", + "fix": "Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nunlock_time = 0" + } + }, + "V-230338": {}, + "V-230339": { + "tags": { + "check_id": "C-33008r743973_chk", + "rid": "SV-230339r743975_rule", + "fix_id": "F-32983r743974_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured use a non-default faillock directory to ensure contents persist after reboot:\n\n$ sudo grep 'dir =' /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.", + "fix": "Configure the operating system maintain the contents of the faillock directory after a reboot.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock" + } + }, + "V-230340": {}, + "V-230341": { + "tags": { + "check_id": "C-33010r743976_chk", + "rid": "SV-230341r743978_rule", + "fix_id": "F-32985r743977_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to prevent informative messages from being presented at logon attempts:\n\n$ sudo grep silent /etc/security/faillock.conf\n\nsilent\n\nIf the \"silent\" option is not set, is missing or commented out, this is a finding.", + "fix": "Configure the operating system to prevent informative messages from being presented at logon attempts.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nsilent" + } + }, + "V-230342": {}, + "V-230343": { + "tags": { + "check_id": "C-33012r743979_chk", + "rid": "SV-230343r743981_rule", + "fix_id": "F-32987r743980_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep audit /etc/security/faillock.conf\n\naudit\n\nIf the \"audit\" option is not set, is missing or commented out, this is a finding.", + "fix": "Configure the operating system to log user name information when unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\naudit" + } + }, + "V-230344": {}, + "V-230345": { + "tags": { + "check_id": "C-33014r743982_chk", + "rid": "SV-230345r743984_rule", + "fix_id": "F-32989r743983_fix" + }, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep even_deny_root /etc/security/faillock.conf\n\neven_deny_root\n\nIf the \"even_deny_root\" option is not set, is missing or commented out, this is a finding.", + "fix": "Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\neven_deny_root" + } + }, + "V-230346": {}, + "V-230347": {}, + "V-230348": { + "tags": { + "check_id": "C-33017r743985_chk", + "rid": "SV-230348r743987_rule", + "fix_id": "F-32992r743986_fix" + }, + "descs": { + "check": "Verify the operating system enables the user to initiate a session lock with the following command:\n\n$ sudo grep -i lock-command /etc/tmux.conf\n\nset -g lock-command vlock\n\nIf the \"lock-command\" is not set in the global settings to call \"vlock\", this is a finding.", + "fix": "Configure the operating system to enable a user to initiate a session lock via tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following line:\n\nset -g lock-command vlock" + } + }, + "V-230349": {}, + "V-230350": {}, + "V-230351": {}, + "V-230352": {}, + "V-230353": {}, + "V-230354": { + "tags": { + "check_id": "C-33023r743988_chk", + "rid": "SV-230354r743990_rule", + "fix_id": "F-32998r743989_fix" + }, + "title": "RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.", + "descs": { + "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return at least the example result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/screensaver/lock-delay" + } + }, + "V-230355": {}, + "V-230356": {}, + "V-230357": {}, + "V-230358": {}, + "V-230359": {}, + "V-230360": {}, + "V-230361": {}, + "V-230362": {}, + "V-230363": {}, + "V-230364": {}, + "V-230365": {}, + "V-230366": {}, + "V-230367": {}, + "V-230368": {}, + "V-230369": {}, + "V-230370": {}, + "V-230371": {}, + "V-230372": {}, + "V-230373": {}, + "V-230374": {}, + "V-230375": {}, + "V-230376": {}, + "V-230377": {}, + "V-230378": {}, + "V-230379": {}, + "V-230380": { + "tags": { + "check_id": "C-33049r743991_chk", + "rid": "SV-230380r743993_rule", + "fix_id": "F-33024r743992_fix" + }, + "title": "RHEL 8 must not allow accounts configured with blank or null passwords.", + "descs": { + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding.", + "fix": "Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with empty passwords.\n\nPermitEmptyPasswords no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-230381": {}, + "V-230382": {}, + "V-230383": {}, + "V-230384": {}, + "V-230385": {}, + "V-230386": {}, + "V-230387": { + "tags": { + "check_id": "C-33056r743994_chk", + "rid": "SV-230387r743996_rule", + "fix_id": "F-33031r743995_fix" + }, + "descs": { + "check": "Verify that \"rsyslog\" is configured to log cron events with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n$ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n/etc/rsyslog.conf:# Log cron stuff\n/etc/rsyslog.conf:cron.* /var/log/cron\n\nIf the command does not return a response, check for cron logging all facilities with the following command.\n\n$ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", + "fix": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron\n\nThe rsyslog daemon must be restarted for the changes to take effect:\n$ sudo systemctl restart rsyslog.service" + } + }, + "V-230388": {}, + "V-230389": {}, + "V-230390": {}, + "V-230391": { + "tags": { + "rid": "SV-230391r743998_rule", + "fix_id": "F-33035r743997_fix" + }, + "descs": {} + }, + "V-230392": {}, + "V-230393": {}, + "V-230394": {}, + "V-230395": {}, + "V-230396": {}, + "V-230397": {}, + "V-230398": {}, + "V-230399": {}, + "V-230400": {}, + "V-230401": {}, + "V-230402": {}, + "V-230403": {}, + "V-230404": {}, + "V-230405": {}, + "V-230406": {}, + "V-230407": {}, + "V-230408": {}, + "V-230409": {}, + "V-230410": {}, + "V-230411": { + "tags": { + "check_id": "C-33080r743999_chk", + "rid": "SV-230411r744000_rule" + }, + "title": "The RHEL 8 audit package must be installed.", + "descs": { + "check": "Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding." + } + }, + "V-230412": {}, + "V-230413": {}, + "V-230414": {}, + "V-230415": {}, + "V-230416": {}, + "V-230417": {}, + "V-230418": {}, + "V-230419": {}, + "V-230420": {}, + "V-230421": {}, + "V-230422": {}, + "V-230423": {}, + "V-230424": {}, + "V-230425": {}, + "V-230426": {}, + "V-230427": {}, + "V-230428": {}, + "V-230429": {}, + "V-230430": {}, + "V-230431": {}, + "V-230432": {}, + "V-230433": {}, + "V-230434": { + "tags": { + "rid": "SV-230434r744002_rule", + "fix_id": "F-33078r744001_fix" + }, + "descs": { + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-keysign\" by adding or updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." + } + }, + "V-230435": {}, + "V-230436": {}, + "V-230437": {}, + "V-230438": {}, + "V-230439": {}, + "V-230440": {}, + "V-230441": {}, + "V-230442": {}, + "V-230443": {}, + "V-230444": {}, + "V-230445": {}, + "V-230446": {}, + "V-230447": {}, + "V-230448": {}, + "V-230449": {}, + "V-230450": {}, + "V-230451": {}, + "V-230452": {}, + "V-230453": {}, + "V-230454": {}, + "V-230455": {}, + "V-230456": {}, + "V-230457": {}, + "V-230458": {}, + "V-230459": {}, + "V-230460": {}, + "V-230461": {}, + "V-230462": {}, + "V-230463": {}, + "V-230464": {}, + "V-230465": {}, + "V-230466": {}, + "V-230467": {}, + "V-230468": {}, + "V-230469": { + "tags": { + "check_id": "C-33138r744003_chk", + "rid": "SV-230469r744004_rule" + }, + "descs": { + "check": "Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv - list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates: \n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding." + } + }, + "V-230470": { + "tags": { + "rid": "SV-230470r744006_rule", + "fix_id": "F-33114r744005_fix" + }, + "descs": { + "fix": "Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by adding or modifying the following line in \"/etc/usbguard/usbguard-daemon.conf\":\n\nAuditBackend=LinuxAudit" + } + }, + "V-230471": {}, + "V-230472": {}, + "V-230473": { + "tags": { + "check_id": "C-33142r744007_chk", + "rid": "SV-230473r744008_rule" + }, + "descs": { + "check": "Verify the audit tools are owned by \"root\" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n$ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\nroot /sbin/auditctl\nroot /sbin/aureport\nroot /sbin/ausearch\nroot /sbin/autrace\nroot /sbin/auditd\nroot /sbin/rsyslogd\nroot /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding." + } + }, + "V-230474": {}, + "V-230475": {}, + "V-230476": {}, + "V-230477": {}, + "V-230478": { + "tags": { + "check_id": "C-33147r744009_chk", + "rid": "SV-230478r744011_rule", + "fix_id": "F-33122r744010_fix" + }, + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.", + "descs": { + "check": "Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands:\n\n$ sudo yum list installed rsyslog-gnutls\n\nrsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\nIf the \"rsyslog-gnutls\" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.", + "fix": "Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command:\n\n$ sudo yum install rsyslog-gnutls" + } + }, + "V-230479": {}, + "V-230480": {}, + "V-230481": {}, + "V-230482": {}, + "V-230483": { + "tags": { + "check_id": "C-33152r744012_chk", + "rid": "SV-230483r744014_rule", + "fix_id": "F-33127r744013_fix" + }, + "title": "RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.", + "descs": { + "check": "Verify RHEL 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:\n\n$ sudo grep -w space_left /etc/audit/auditd.conf\n\nspace_left = 25%\n\nIf the value of the \"space_left\" keyword is not set to \"25%\" or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", + "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.\n\nspace_left = 25%\n\nNote: Option names and values in the auditd.conf file are case insensitive." + } + }, + "V-230484": {}, + "V-230485": {}, + "V-230486": {}, + "V-230487": {}, + "V-230488": {}, + "V-230489": {}, + "V-230491": {}, + "V-230492": {}, + "V-230493": {}, + "V-230494": {}, + "V-230495": {}, + "V-230496": { + "tags": { + "check_id": "C-33165r744015_chk", + "rid": "SV-230496r744017_rule", + "fix_id": "F-33140r744016_fix" + }, + "title": "RHEL 8 must disable the stream control transmission protocol (SCTP).", + "descs": { + "check": "Verify the operating system disables the ability to load the SCTP kernel module.\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"/bin/true\"\n\ninstall SCTP /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist SCTP\n\nIf the command does not return any output or the output is not \"blacklist SCTP\", and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", + "fix": "Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\ninstall SCTP /bin/true\nblacklist SCTP\n\nReboot the system for the settings to take effect." + } + }, + "V-230497": {}, + "V-230498": {}, + "V-230499": {}, + "V-230500": {}, + "V-230502": {}, + "V-230503": {}, + "V-230504": {}, + "V-230505": { + "tags": { + "check_id": "C-33174r744018_chk", + "rid": "SV-230505r744020_rule", + "fix_id": "F-33149r744019_fix" + }, + "descs": { + "check": "Verify that \"firewalld\" is installed with the following commands:\n\n$ sudo yum list installed firewalld\n\nfirewalld.noarch 0.7.0-5.el8\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if another firewall is installed. If no firewall is installed this is a finding.", + "fix": "Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch" + } + }, + "V-230506": {}, + "V-230507": {}, + "V-230508": {}, + "V-230509": {}, + "V-230510": {}, + "V-230511": {}, + "V-230512": {}, + "V-230513": {}, + "V-230514": {}, + "V-230515": {}, + "V-230516": {}, + "V-230517": {}, + "V-230518": {}, + "V-230519": {}, + "V-230520": {}, + "V-230521": {}, + "V-230522": {}, + "V-230523": { + "tags": { + "check_id": "C-33192r744021_chk", + "rid": "SV-230523r744023_rule", + "fix_id": "F-33167r744022_fix" + }, + "title": "The RHEL 8 fapolicy module must be installed.", + "desc": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n", + "descs": { + "check": "Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding.", + "fix": "Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64" + } + }, + "V-230524": { + "tags": { + "check_id": "C-33193r744024_chk", + "rid": "SV-230524r744026_rule", + "fix_id": "F-33168r744025_fix" + }, + "descs": { + "check": "Verify the USBGuard has a policy configured with the following command:\n\n$ sudo usbguard list-rules\n\nIf the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.\n\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", + "fix": "Configure the operating system to enable the blocking of unauthorized peripherals with the following command:\nThis command must be run from a root shell and will create an allow list for any usb devices currently connect to the system.\n\n# usbguard generate-policy > /etc/usbguard/rules.conf\n\nNote: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse" + } + }, + "V-230525": { + "tags": { + "check_id": "C-33194r744027_chk", + "rid": "SV-230525r744029_rule", + "fix_id": "F-33169r744028_fix" + }, + "descs": { + "check": "Verify \"nftables\" is configured to allow rate limits on any connection to the system with the following command:\n\nVerify \"firewalld\" has \"nftables\" set as the default backend:\n\n$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n# FirewallBackend\nFirewallBackend=nftables\n\nIf the \"nftables\" is not set as the \"firewallbackend\" default, this is a finding.", + "fix": "Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces." + } + }, + "V-230526": { + "tags": { + "check_id": "C-33195r744030_chk", + "rid": "SV-230526r744032_rule", + "fix_id": "F-33170r744031_fix" + }, + "descs": { + "check": "Verify SSH is loaded and active with the following command:\n\n$ sudo systemctl status sshd\n\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.", + "fix": "Configure the SSH service to automatically start after reboot with the following command:\n\n$ sudo systemctl enable sshd.service" + } + }, + "V-230527": {}, + "V-230529": {}, + "V-230530": {}, + "V-230531": {}, + "V-230532": {}, + "V-230533": {}, + "V-230534": {}, + "V-230535": { + "tags": { + "check_id": "C-33204r744033_chk", + "rid": "SV-230535r744035_rule", + "fix_id": "F-33179r744034_fix" + }, + "title": "RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", + "descs": { + "check": "Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.default.accept_redirects=0" + } + }, + "V-230536": { + "tags": { + "check_id": "C-33205r744036_chk", + "rid": "SV-230536r744037_rule" + }, + "descs": { + "check": "Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding." + } + }, + "V-230537": { + "tags": { + "check_id": "C-33206r744038_chk", + "rid": "SV-230537r744039_rule" + }, + "descs": { + "check": "Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding." + } + }, + "V-230538": { + "tags": { + "check_id": "C-33207r744040_chk", + "rid": "SV-230538r744042_rule", + "fix_id": "F-33182r744041_fix" + }, + "title": "RHEL 8 must not forward IPv6 source-routed packets.", + "descs": { + "check": "Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's all value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.all.accept_source_route=0" + } + }, + "V-230539": { + "tags": { + "check_id": "C-33208r744043_chk", + "rid": "SV-230539r744045_rule", + "fix_id": "F-33183r744044_fix" + }, + "title": "RHEL 8 must not forward IPv6 source-routed packets by default.", + "descs": { + "check": "Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv6 source-routed packets by default with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.default.accept_source_route=0" + } + }, + "V-230540": {}, + "V-230541": {}, + "V-230542": {}, + "V-230543": { + "tags": { + "check_id": "C-33212r744046_chk", + "rid": "SV-230543r744047_rule" + }, + "descs": { + "check": "Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding." + } + }, + "V-230544": { + "tags": { + "check_id": "C-33213r744048_chk", + "rid": "SV-230544r744050_rule", + "fix_id": "F-33188r744049_fix" + }, + "title": "RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.", + "descs": { + "check": "Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to ignore IPv6 ICMP redirect messages with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.all.accept_redirects = 0" + } + }, + "V-230545": {}, + "V-230546": {}, + "V-230547": {}, + "V-230548": {}, + "V-230549": {}, + "V-230550": {}, + "V-230551": {}, + "V-230552": {}, + "V-230553": {}, + "V-230554": {}, + "V-230555": {}, + "V-230556": {}, + "V-230557": {}, + "V-230558": {}, + "V-230559": {}, + "V-230560": {}, + "V-230561": {}, + "V-237640": {}, + "V-237641": {}, + "V-237642": {}, + "V-237643": {} + } + }, + "rawDiff": { + "addedControlIDs": [ + "V-244519", + "V-244520", + "V-244521", + "V-244522", + "V-244523", + "V-244524", + "V-244525", + "V-244526", + "V-244527", + "V-244528", + "V-244529", + "V-244530", + "V-244531", + "V-244532", + "V-244533", + "V-244534", + "V-244535", + "V-244536", + "V-244537", + "V-244538", + "V-244539", + "V-244540", + "V-244541", + "V-244542", + "V-244543", + "V-244544", + "V-244545", + "V-244546", + "V-244547", + "V-244548", + "V-244549", + "V-244550", + "V-244551", + "V-244552", + "V-244553", + "V-244554", + "V-245540" + ], + "removedControlIDs": [ + "V-230528" + ], + "renamedControlIDs": {}, + "changedControlIDs": [ + "V-230221", + "V-230222", + "V-230223", + "V-230224", + "V-230225", + "V-230226", + "V-230227", + "V-230228", + "V-230229", + "V-230230", + "V-230231", + "V-230232", + "V-230233", + "V-230234", + "V-230235", + "V-230236", + "V-230237", + "V-230238", + "V-230239", + "V-230240", + "V-230241", + "V-230242", + "V-230243", + "V-230244", + "V-230245", + "V-230246", + "V-230247", + "V-230248", + "V-230249", + "V-230250", + "V-230251", + "V-230252", + "V-230253", + "V-230254", + "V-230255", + "V-230256", + "V-230257", + "V-230258", + "V-230259", + "V-230260", + "V-230261", + "V-230262", + "V-230263", + "V-230264", + "V-230265", + "V-230266", + "V-230267", + "V-230268", + "V-230269", + "V-230270", + "V-230271", + "V-230272", + "V-230273", + "V-230274", + "V-230275", + "V-230276", + "V-230277", + "V-230278", + "V-230279", + "V-230280", + "V-230281", + "V-230282", + "V-230283", + "V-230284", + "V-230285", + "V-230286", + "V-230287", + "V-230288", + "V-230289", + "V-230290", + "V-230291", + "V-230292", + "V-230293", + "V-230294", + "V-230295", + "V-230296", + "V-230297", + "V-230298", + "V-230299", + "V-230300", + "V-230301", + "V-230302", + "V-230303", + "V-230304", + "V-230305", + "V-230306", + "V-230307", + "V-230308", + "V-230309", + "V-230310", + "V-230311", + "V-230312", + "V-230313", + "V-230314", + "V-230315", + "V-230316", + "V-230317", + "V-230318", + "V-230319", + "V-230320", + "V-230321", + "V-230322", + "V-230323", + "V-230324", + "V-230325", + "V-230326", + "V-230327", + "V-230328", + "V-230329", + "V-230330", + "V-230331", + "V-230332", + "V-230333", + "V-230334", + "V-230335", + "V-230336", + "V-230337", + "V-230338", + "V-230339", + "V-230340", + "V-230341", + "V-230342", + "V-230343", + "V-230344", + "V-230345", + "V-230346", + "V-230347", + "V-230348", + "V-230349", + "V-230350", + "V-230351", + "V-230352", + "V-230353", + "V-230354", + "V-230355", + "V-230356", + "V-230357", + "V-230358", + "V-230359", + "V-230360", + "V-230361", + "V-230362", + "V-230363", + "V-230364", + "V-230365", + "V-230366", + "V-230367", + "V-230368", + "V-230369", + "V-230370", + "V-230371", + "V-230372", + "V-230373", + "V-230374", + "V-230375", + "V-230376", + "V-230377", + "V-230378", + "V-230379", + "V-230380", + "V-230381", + "V-230382", + "V-230383", + "V-230384", + "V-230385", + "V-230386", + "V-230387", + "V-230388", + "V-230389", + "V-230390", + "V-230391", + "V-230392", + "V-230393", + "V-230394", + "V-230395", + "V-230396", + "V-230397", + "V-230398", + "V-230399", + "V-230400", + "V-230401", + "V-230402", + "V-230403", + "V-230404", + "V-230405", + "V-230406", + "V-230407", + "V-230408", + "V-230409", + "V-230410", + "V-230411", + "V-230412", + "V-230413", + "V-230414", + "V-230415", + "V-230416", + "V-230417", + "V-230418", + "V-230419", + "V-230420", + "V-230421", + "V-230422", + "V-230423", + "V-230424", + "V-230425", + "V-230426", + "V-230427", + "V-230428", + "V-230429", + "V-230430", + "V-230431", + "V-230432", + "V-230433", + "V-230434", + "V-230435", + "V-230436", + "V-230437", + "V-230438", + "V-230439", + "V-230440", + "V-230441", + "V-230442", + "V-230443", + "V-230444", + "V-230445", + "V-230446", + "V-230447", + "V-230448", + "V-230449", + "V-230450", + "V-230451", + "V-230452", + "V-230453", + "V-230454", + "V-230455", + "V-230456", + "V-230457", + "V-230458", + "V-230459", + "V-230460", + "V-230461", + "V-230462", + "V-230463", + "V-230464", + "V-230465", + "V-230466", + "V-230467", + "V-230468", + "V-230469", + "V-230470", + "V-230471", + "V-230472", + "V-230473", + "V-230474", + "V-230475", + "V-230476", + "V-230477", + "V-230478", + "V-230479", + "V-230480", + "V-230481", + "V-230482", + "V-230483", + "V-230484", + "V-230485", + "V-230486", + "V-230487", + "V-230488", + "V-230489", + "V-230491", + "V-230492", + "V-230493", + "V-230494", + "V-230495", + "V-230496", + "V-230497", + "V-230498", + "V-230499", + "V-230500", + "V-230502", + "V-230503", + "V-230504", + "V-230505", + "V-230506", + "V-230507", + "V-230508", + "V-230509", + "V-230510", + "V-230511", + "V-230512", + "V-230513", + "V-230514", + "V-230515", + "V-230516", + "V-230517", + "V-230518", + "V-230519", + "V-230520", + "V-230521", + "V-230522", + "V-230523", + "V-230524", + "V-230525", + "V-230526", + "V-230527", + "V-230529", + "V-230530", + "V-230531", + "V-230532", + "V-230533", + "V-230534", + "V-230535", + "V-230536", + "V-230537", + "V-230538", + "V-230539", + "V-230540", + "V-230541", + "V-230542", + "V-230543", + "V-230544", + "V-230545", + "V-230546", + "V-230547", + "V-230548", + "V-230549", + "V-230550", + "V-230551", + "V-230552", + "V-230553", + "V-230554", + "V-230555", + "V-230556", + "V-230557", + "V-230558", + "V-230559", + "V-230560", + "V-230561", + "V-237640", + "V-237641", + "V-237642", + "V-237643" + ], + "addedControls": { + "V-244519": { + "tags": { + "check_id": "C-47794r743804_chk", + "severity": "medium", + "gid": "V-244519", + "rid": "SV-244519r743806_rule", + "stig_id": "RHEL-08-010049", + "gtitle": "SRG-OS-000023-GPOS-00006", + "fix_id": "F-47751r743805_fix", + "satisfies": [ + "SRG-OS-000023-GPOS-00006", + "SRG-OS-000228-GPOS-00088" + ], + "documentable": false, + "cci": [ + "CCI-000048" + ], + "nist": [ + "AC-8 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244519", + "title": "RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.", + "desc": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n$ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.", + "fix": "Configure the operating system to display a banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nRun the following command to update the database:\n\n$ sudo dconf update" + } + }, + "V-244520": { + "tags": { + "check_id": "C-47795r743807_chk", + "severity": "medium", + "gid": "V-244520", + "rid": "SV-244520r743809_rule", + "stig_id": "RHEL-08-010131", + "gtitle": "SRG-OS-000073-GPOS-00041", + "fix_id": "F-47752r743808_fix", + "documentable": false, + "cci": [ + "CCI-000196" + ], + "nist": [ + "IA-5 (1) (c)" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244520", + "title": "The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.", + "desc": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.", + "impact": 0.5, + "descs": { + "check": "Check that a minimum number of hash rounds is configured by running the following command:\n\n$ sudo grep rounds /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"etc/pam.d/system-auth\" file and set \"rounds\" to a value no lower than \"5000\":\n\npassword sufficient pam_unix.so sha512 rounds=5000" + } + }, + "V-244521": { + "tags": { + "check_id": "C-47796r743810_chk", + "severity": "medium", + "gid": "V-244521", + "rid": "SV-244521r743812_rule", + "stig_id": "RHEL-08-010141", + "gtitle": "SRG-OS-000080-GPOS-00048", + "fix_id": "F-47753r743811_fix", + "documentable": false, + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244521", + "title": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.", + "impact": 0.5, + "descs": { + "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg" + } + }, + "V-244522": { + "tags": { + "check_id": "C-47797r743813_chk", + "severity": "medium", + "gid": "V-244522", + "rid": "SV-244522r743815_rule", + "stig_id": "RHEL-08-010149", + "gtitle": "SRG-OS-000080-GPOS-00048", + "fix_id": "F-47754r743814_fix", + "documentable": false, + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244522", + "title": "RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", + "desc": "If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.", + "impact": 0.5, + "descs": { + "check": "For systems that use UEFI, this is Not Applicable.\n\nVerify that a unique name is set as the \"superusers\" account:\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", + "fix": "Configure the system to have a unique name for the grub superusers account.\n\nEdit the /etc/grub.d/01_users file and add or modify the following lines:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\npassword_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}\n\nGenerate a new grub.cfg file with the following command:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg" + } + }, + "V-244523": { + "tags": { + "check_id": "C-47798r743816_chk", + "severity": "medium", + "gid": "V-244523", + "rid": "SV-244523r743818_rule", + "stig_id": "RHEL-08-010152", + "gtitle": "SRG-OS-000080-GPOS-00048", + "fix_id": "F-47755r743817_fix", + "documentable": false, + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244523", + "title": "RHEL 8 operating systems must require authentication upon booting into emergency mode.", + "desc": "If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.", + "impact": 0.5, + "descs": { + "check": "Check to see if the system requires authentication for emergency mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell emergency\", commented out, or missing, this is a finding.", + "fix": "Configure the system to require authentication upon booting into emergency mode by adding the following line to the \"/usr/lib/systemd/system/emergency.service\" file.\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" + } + }, + "V-244524": { + "tags": { + "check_id": "C-47799r743819_chk", + "severity": "medium", + "gid": "V-244524", + "rid": "SV-244524r743821_rule", + "stig_id": "RHEL-08-010159", + "gtitle": "SRG-OS-000120-GPOS-00061", + "fix_id": "F-47756r743820_fix", + "documentable": false, + "cci": [ + "CCI-000803" + ], + "nist": [ + "IA-7" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244524", + "title": "The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.", + "desc": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nRHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.", + "impact": 0.5, + "descs": { + "check": "Verify that pam_unix.so module is configured to use sha512.\n\nCheck that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is missing, or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512 rounds=5000" + } + }, + "V-244525": { + "tags": { + "check_id": "C-47800r743822_chk", + "severity": "medium", + "gid": "V-244525", + "rid": "SV-244525r743824_rule", + "stig_id": "RHEL-08-010201", + "gtitle": "SRG-OS-000163-GPOS-00072", + "fix_id": "F-47757r743823_fix", + "satisfies": [ + "SRG-OS-000163-GPOS-00072", + "SRG-OS-000126-GPOS-00066", + "SRG-OS-000279-GPOS-00109" + ], + "documentable": false, + "cci": [ + "CCI-001133" + ], + "nist": [ + "SC-10" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244525", + "title": "The RHEL 8 SSH daemon must be configured with a timeout interval.", + "desc": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" are used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveInterval\" does not exist, does not have a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.", + "fix": "Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveInterval 600\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-244526": { + "tags": { + "check_id": "C-47801r743825_chk", + "severity": "medium", + "gid": "V-244526", + "rid": "SV-244526r743827_rule", + "stig_id": "RHEL-08-010287", "gtitle": "SRG-OS-000250-GPOS-00093", "fix_id": "F-47758r743826_fix", + "satisfies": [ + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173", + "SRG-OS-000394-GPOS-00174", + "SRG-OS-000125-GPOS-00065" + ], + "documentable": false, + "cci": [ + "CCI-001453" + ], + "nist": [ + "AC-17 (2)" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244526", + "title": "The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify that system-wide crypto policies are in effect:\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n\n# crypto_policy=\n\nIf the \"crypto_policy\" is uncommented, this is a finding.", + "fix": "Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# crypto_policy=\n\nA reboot is required for the changes to take effect." + } + }, + "V-244527": { + "tags": { + "check_id": "C-47802r743828_chk", + "severity": "low", + "gid": "V-244527", + "rid": "SV-244527r743830_rule", + "stig_id": "RHEL-08-010472", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47759r743829_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244527", + "title": "RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.", + "desc": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).", + "impact": 0.3, + "descs": { + "check": "Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ sudo yum list installed rng-tools\n\nrng-tools.x86_64 6.8-3.el8 @anaconda\n\nIf the \"rng-tools\" package is not installed, this is a finding.", + "fix": "Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ sudo yum install rng-tools" + } + }, + "V-244528": { + "tags": { + "check_id": "C-47803r743831_chk", + "severity": "medium", + "gid": "V-244528", + "rid": "SV-244528r743833_rule", + "stig_id": "RHEL-08-010522", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47760r743832_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244528", + "title": "The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", + "desc": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.", + "impact": 0.5, + "descs": { + "check": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.", + "fix": "Configure the SSH daemon to not allow GSSAPI authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nGSSAPIAuthentication no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + }, + "V-244529": { + "tags": { + "check_id": "C-47804r743834_chk", + "severity": "medium", + "gid": "V-244529", + "rid": "SV-244529r743836_rule", + "stig_id": "RHEL-08-010544", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47761r743835_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244529", + "title": "RHEL 8 must use a separate file system for /var/tmp.", + "desc": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.", + "impact": 0.5, + "descs": { + "check": "Verify that a separate file system/partition has been created for \"/var/tmp\".\n\nCheck that a file system/partition has been created for \"/var/tmp\" with the following command:\n\n$ sudo grep /var/tmp /etc/fstab\n\nUUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.", + "fix": "Migrate the \"/var/tmp\" path onto a separate file system." + } + }, + "V-244530": { + "tags": { + "check_id": "C-47805r743837_chk", + "severity": "medium", + "gid": "V-244530", + "rid": "SV-244530r743839_rule", + "stig_id": "RHEL-08-010572", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47762r743838_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244530", + "title": "RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.", + "desc": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.", + "impact": 0.5, + "descs": { + "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.", + "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on the /boot/efi directory." + } + }, + "V-244531": { + "tags": { + "check_id": "C-47806r743840_chk", + "severity": "medium", + "gid": "V-244531", + "rid": "SV-244531r743842_rule", + "stig_id": "RHEL-08-010731", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47763r743841_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244531", + "title": "All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.", + "desc": "Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.", + "impact": 0.5, + "descs": { + "check": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files or directories are found with a mode more permissive than \"0750\", this is a finding.", + "fix": "Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n$ sudo chmod 0750 /home/smithj/" + } + }, + "V-244532": { + "tags": { + "check_id": "C-47807r743843_chk", + "severity": "medium", + "gid": "V-244532", + "rid": "SV-244532r743845_rule", + "stig_id": "RHEL-08-010741", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47764r743844_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244532", + "title": "RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.", + "desc": "If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.", + "impact": 0.5, + "descs": { + "check": "Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command:\n\n$ sudo grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.", + "fix": "Change the group of a local interactive user's files and directories to a group that the interactive user is a member. To change the group owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n$ sudo chgrp smithj /home/smithj/" + } + }, + "V-244533": { + "tags": { + "check_id": "C-47808r743846_chk", + "severity": "medium", + "gid": "V-244533", + "rid": "SV-244533r743848_rule", + "stig_id": "RHEL-08-020025", + "gtitle": "SRG-OS-000021-GPOS-00005", + "fix_id": "F-47765r743847_fix", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "documentable": false, + "cci": [ + "CCI-000044" + ], + "nist": [ + "AC-7 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244533", + "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\n\n", + "impact": 0.5, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", + "fix": "Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so" + } + }, + "V-244534": { + "tags": { + "check_id": "C-47809r743849_chk", + "severity": "medium", + "gid": "V-244534", + "rid": "SV-244534r743851_rule", + "stig_id": "RHEL-08-020026", + "gtitle": "SRG-OS-000021-GPOS-00005", + "fix_id": "F-47766r743850_fix", + "satisfies": [ + "SRG-OS-000021-GPOS-00005", + "SRG-OS-000329-GPOS-00128" + ], + "documentable": false, + "cci": [ + "CCI-000044" + ], + "nist": [ + "AC-7 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244534", + "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\n\n", + "impact": 0.5, + "descs": { + "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/password-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", + "fix": "Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/password-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so" + } + }, + "V-244535": { + "tags": { + "check_id": "C-47810r743852_chk", + "severity": "medium", + "gid": "V-244535", + "rid": "SV-244535r743854_rule", + "stig_id": "RHEL-08-020031", + "gtitle": "SRG-OS-000029-GPOS-00010", + "fix_id": "F-47767r743853_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, + "cci": [ + "CCI-000057" + ], + "nist": [ + "AC-11 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244535", + "title": "RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\nuint32 5\n\nIf the \"uint32\" setting is missing, or is not set to \"5\" or less, this is a finding.", + "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n$ sudo dconf update" + } + }, + "V-244536": { + "tags": { + "check_id": "C-47811r743855_chk", + "severity": "medium", + "gid": "V-244536", + "rid": "SV-244536r743857_rule", + "stig_id": "RHEL-08-020032", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47768r743856_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244536", + "title": "RHEL 8 must disable the user list at logon for graphical user interfaces.", + "desc": "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.", + "impact": 0.5, + "descs": { + "check": "Verify the operating system disables the user logon list for graphical user interfaces with the following command:\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.login-screen disable-user-list\ntrue\n\nIf the setting is \"false\", this is a finding.", + "fix": "Configure the operating system to disable the user list at logon for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n[org/gnome/login-screen]\ndisable-user-list=true\n\nUpdate the system databases:\n$ sudo dconf update" + } + }, + "V-244537": { + "tags": { + "check_id": "C-47812r743858_chk", + "severity": "medium", + "gid": "V-244537", + "rid": "SV-244537r743860_rule", + "stig_id": "RHEL-08-020039", + "gtitle": "SRG-OS-000028-GPOS-00009", + "fix_id": "F-47769r743859_fix", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000030-GPOS-00011" + ], + "documentable": false, + "cci": [ + "CCI-000056" + ], + "nist": [ + "AC-11 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244537", + "title": "RHEL 8 must have the tmux package installed.", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify RHEL 8 has the \"tmux\" package installed, by running the following command:\n\n$ sudo yum list installed tmux\n\ntmux.x86.64 2.7-1.el8 @repository\n\nIf \"tmux\" is not installed, this is a finding.", + "fix": "Configure the operating system to enable a user to initiate a session lock via tmux.\n\nInstall the \"tmux\" package, if it is not already installed, by running the following command:\n\n$ sudo yum install tmux" + } + }, + "V-244538": { + "tags": { + "check_id": "C-47813r743861_chk", + "severity": "medium", + "gid": "V-244538", + "rid": "SV-244538r743863_rule", + "stig_id": "RHEL-08-020081", + "gtitle": "SRG-OS-000029-GPOS-00010", + "fix_id": "F-47770r743862_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, + "cci": [ + "CCI-000057" + ], + "nist": [ + "AC-11 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244538", + "title": "RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\n\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return at least the example result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/session/idle-delay" + } + }, + "V-244539": { + "tags": { + "check_id": "C-47814r743864_chk", + "severity": "medium", + "gid": "V-244539", + "rid": "SV-244539r743866_rule", + "stig_id": "RHEL-08-020082", + "gtitle": "SRG-OS-000029-GPOS-00010", + "fix_id": "F-47771r743865_fix", + "satisfies": [ + "SRG-OS-000029-GPOS-00010", + "SRG-OS-000031-GPOS-00012", + "SRG-OS-000480-GPOS-00227" + ], + "documentable": false, + "cci": [ + "CCI-000057" + ], + "nist": [ + "AC-11 a" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244539", + "title": "RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", + "desc": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\n\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\n\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return at least the example result, this is a finding.", + "fix": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/screensaver/lock-enabled" + } + }, + "V-244540": { + "tags": { + "check_id": "C-47815r743867_chk", + "severity": "high", + "gid": "V-244540", + "rid": "SV-244540r743869_rule", + "stig_id": "RHEL-08-020331", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47772r743868_fix", + "documentable": false, + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244540", + "title": "RHEL 8 must not allow blank or null passwords in the system-auth file.", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "impact": 0.7, + "descs": { + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.", + "fix": "Remove any instances of the \"nullok\" option in the \"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program." + } + }, + "V-244541": { + "tags": { + "check_id": "C-47816r743870_chk", + "severity": "high", + "gid": "V-244541", + "rid": "SV-244541r743872_rule", + "stig_id": "RHEL-08-020332", + "gtitle": "SRG-OS-000480-GPOS-00227", + "fix_id": "F-47773r743871_fix", + "documentable": false, "cci": [ - "CCI-001453" + "CCI-000366" ], "nist": [ - "AC-17 (2)" + "CM-6 b" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244541", + "title": "RHEL 8 must not allow blank or null passwords in the password-auth file.", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", + "impact": 0.7, + "descs": { + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.", + "fix": "Remove any instances of the \"nullok\" option in the \"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program." + } + }, + "V-244542": { + "tags": { + "check_id": "C-47817r743873_chk", + "severity": "medium", + "gid": "V-244542", + "rid": "SV-244542r743875_rule", + "stig_id": "RHEL-08-030181", + "gtitle": "SRG-OS-000062-GPOS-00031", + "fix_id": "F-47774r743874_fix", + "satisfies": [ + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000254-GPOS-00095", + "SRG-OS-000255-GPOS-00096", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000358-GPOS-00145", + "SRG-OS-000365-GPOS-00152", + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000475-GPOS-00220" + ], + "documentable": false, + "cci": [ + "CCI-000169" + ], + "nist": [ + "AU-12 a" ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244542", + "title": "RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.", + "desc": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service.\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", + "fix": "Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands:\n\n$ sudo systemctl enable auditd.service\n\n$ sudo systemctl start auditd.service" + } + }, + "V-244543": { + "tags": { + "check_id": "C-47818r743876_chk", + "severity": "medium", + "gid": "V-244543", + "rid": "SV-244543r743878_rule", + "stig_id": "RHEL-08-030731", + "gtitle": "SRG-OS-000343-GPOS-00134", + "fix_id": "F-47775r743877_fix", + "documentable": false, + "cci": [ + "CCI-001855" + ], + "nist": [ + "AU-5 (1)" ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" ], - "id": [ - "V-244526" + "id": "V-244543", + "title": "RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.", + "desc": "If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.", + "impact": 0.5, + "descs": { + "check": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep -w space_left_action /etc/audit/auditd.conf\n\nspace_left_action = email\n\nIf the value of the \"space_left_action\" is not set to \"email\", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", + "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.\n\nspace_left_action = email\n\nNote: Option names and values in the auditd.conf file are case insensitive." + } + }, + "V-244544": { + "tags": { + "check_id": "C-47819r743879_chk", + "severity": "medium", + "gid": "V-244544", + "rid": "SV-244544r743881_rule", + "stig_id": "RHEL-08-040101", + "gtitle": "SRG-OS-000297-GPOS-00115", + "fix_id": "F-47776r743880_fix", + "documentable": false, + "cci": [ + "CCI-002314" + ], + "nist": [ + "AC-17 (1)" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.", - "desc": "[\"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\n\\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\\n\\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.\\n\\nSatisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065false\"]", + "id": "V-244544", + "title": "A firewall must be active on RHEL 8.", + "desc": "\"Firewalld\" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.\n\nRemote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\nRHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", "impact": 0.5, "descs": { - "check": "Verify that system-wide crypto policies are in effect:\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n\n# crypto_policy=\n\nIf the \"crypto_policy\" is uncommented, this is a finding.", - "fix": "Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:\n\n# crypto_policy=\n\nA reboot is required for the changes to take effect." + "check": "Verify that \"firewalld\" is active with the following commands:\n\n$ sudo systemctl is-active firewalld\n\nactive\n\nIf the \"firewalld\" package is not \"active\", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.", + "fix": "Configure \"firewalld\" to protect the operating system with the following command:\n\n$ sudo systemctl enable firewalld" } }, - "V-244527": { + "V-244545": { "tags": { - "check_id": "C-47802r743828_chk", - "severity": "low", - "gid": "V-244527", - "rid": "SV-244527r743830_rule", - "stig_id": "RHEL-08-010472", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47759r743829_fix", + "check_id": "C-47820r743882_chk", + "severity": "medium", + "gid": "V-244545", + "rid": "SV-244545r743884_rule", + "stig_id": "RHEL-08-040136", + "gtitle": "SRG-OS-000368-GPOS-00154", + "fix_id": "F-47777r743883_fix", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "documentable": false, "cci": [ - "CCI-000366" + "CCI-001764" ], "nist": [ - "CM-6 b" + "CM-7 (2)" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244545", + "title": "The RHEL 8 fapolicy module must be enabled.", + "desc": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following command:\n\n$ sudo systemctl status fapolicyd.service\n\nfapolicyd.service - File Access Policy Daemon\nLoaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf fapolicyd is not enabled and running, this is a finding.", + "fix": "Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd" + } + }, + "V-244546": { + "tags": { + "check_id": "C-47821r743885_chk", + "severity": "medium", + "gid": "V-244546", + "rid": "SV-244546r743887_rule", + "stig_id": "RHEL-08-040137", + "gtitle": "SRG-OS-000368-GPOS-00154", + "fix_id": "F-47778r743886_fix", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000370-GPOS-00155", + "SRG-OS-000480-GPOS-00232" + ], + "documentable": false, + "cci": [ + "CCI-001764" + ], + "nist": [ + "CM-7 (2)" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244546", + "title": "The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", + "desc": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n", + "impact": 0.5, + "descs": { + "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\n$ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n/dev/shm\n/run\n/sys/fs/cgroup\n/\n/home\n/boot\n/run/user/42\n/run/user/1000\n\nIf fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.", + "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\" using the following command:\n\nNote: Running this command requires a root shell\n\n# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \"%s\\n\", $3 }' >> /etc/fapolicyd/fapolicyd.mounts\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0" + } + }, + "V-244547": { + "tags": { + "check_id": "C-47822r743888_chk", + "severity": "medium", + "gid": "V-244547", + "rid": "SV-244547r743890_rule", + "stig_id": "RHEL-08-040139", + "gtitle": "SRG-OS-000378-GPOS-00163", + "fix_id": "F-47779r743889_fix", + "documentable": false, + "cci": [ + "CCI-001958" + ], + "nist": [ + "IA-3" ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-244547", + "title": "RHEL 8 must have the USBGuard installed.", + "desc": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\n\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.", + "impact": 0.5, + "descs": { + "check": "Verify USBGuard is installed on the operating system with the following command:\n\n$ sudo yum list installed usbguard\n\nInstalled Packages\nusbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\nIf the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", + "fix": "Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64" + } + }, + "V-244548": { + "tags": { + "check_id": "C-47823r743891_chk", + "severity": "medium", + "gid": "V-244548", + "rid": "SV-244548r743893_rule", + "stig_id": "RHEL-08-040141", + "gtitle": "SRG-OS-000378-GPOS-00163", + "fix_id": "F-47780r743892_fix", + "documentable": false, + "cci": [ + "CCI-001958" + ], + "nist": [ + "IA-3" ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" ], - "id": [ - "V-244527" + "id": "V-244548", + "title": "RHEL 8 must enable the USBGuard.", + "desc": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\n\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\n\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.", + "impact": 0.5, + "descs": { + "check": "Verify the operating system has enabled the use of the USBGuard with the following command:\n\n$ sudo systemctl status usbguard.service\n\nusbguard.service - USBGuard daemon\nLoaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", + "fix": "Configure the operating system to enable the blocking of unauthorized peripherals with the following commands:\n\n$ sudo systemctl enable usbguard.service\n\n$ sudo systemctl start usbguard.service\n\nNote: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse" + } + }, + "V-244549": { + "tags": { + "check_id": "C-47824r743894_chk", + "severity": "medium", + "gid": "V-244549", + "rid": "SV-244549r743896_rule", + "stig_id": "RHEL-08-040159", + "gtitle": "SRG-OS-000423-GPOS-00187", + "fix_id": "F-47781r743895_fix", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "documentable": false, + "cci": [ + "CCI-002418" + ], + "nist": [ + "SC-8" + ] + }, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.", - "desc": "[\"The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \\n\\nThe rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).false\"]", - "impact": 0.3, + "id": "V-244549", + "title": "All RHEL 8 networked systems must have SSH installed.", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\n", + "impact": 0.5, "descs": { - "check": "Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ sudo yum list installed rng-tools\n\nrng-tools.x86_64 6.8-3.el8 @anaconda\n\nIf the \"rng-tools\" package is not installed, this is a finding.", - "fix": "Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ sudo yum install rng-tools" + "check": "Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.", + "fix": "Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64" } }, - "V-244528": { + "V-244550": { "tags": { - "check_id": "C-47803r743831_chk", + "check_id": "C-47825r743897_chk", "severity": "medium", - "gid": "V-244528", - "rid": "SV-244528r743833_rule", - "stig_id": "RHEL-08-010522", + "gid": "V-244550", + "rid": "SV-244550r743899_rule", + "stig_id": "RHEL-08-040209", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47760r743832_fix", + "fix_id": "F-47782r743898_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1735,30 +3789,27 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244528" + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", - "desc": "[\"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false\"]", + "id": "V-244550", + "title": "RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.", "impact": 0.5, "descs": { - "check": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.", - "fix": "Configure the SSH daemon to not allow GSSAPI authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nGSSAPIAuthentication no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + "check": "Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_redirects=0" } }, - "V-244529": { + "V-244551": { "tags": { - "check_id": "C-47804r743834_chk", - "severity": "medium", - "gid": "V-244529", - "rid": "SV-244529r743836_rule", - "stig_id": "RHEL-08-010544", + "check_id": "C-47826r743900_chk", + "severity": "medium", + "gid": "V-244551", + "rid": "SV-244551r743902_rule", + "stig_id": "RHEL-08-040239", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47761r743835_fix", + "fix_id": "F-47783r743901_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1767,30 +3818,27 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244529" + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "RHEL 8 must use a separate file system for /var/tmp.", - "desc": "[\"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false\"]", + "id": "V-244551", + "title": "RHEL 8 must not forward IPv4 source-routed packets.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.", "impact": 0.5, "descs": { - "check": "Verify that a separate file system/partition has been created for \"/var/tmp\".\n\nCheck that a file system/partition has been created for \"/var/tmp\" with the following command:\n\n$ sudo grep /var/tmp /etc/fstab\n\nUUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2\n\nIf a separate entry for \"/var/tmp\" is not in use, this is a finding.", - "fix": "Migrate the \"/var/tmp\" path onto a separate file system." + "check": "Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's all value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_source_route=0" } }, - "V-244530": { + "V-244552": { "tags": { - "check_id": "C-47805r743837_chk", + "check_id": "C-47827r743903_chk", "severity": "medium", - "gid": "V-244530", - "rid": "SV-244530r743839_rule", - "stig_id": "RHEL-08-010572", + "gid": "V-244552", + "rid": "SV-244552r743905_rule", + "stig_id": "RHEL-08-040249", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47762r743838_fix", + "fix_id": "F-47784r743904_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1799,30 +3847,27 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244530" + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.", - "desc": "[\"The \\\"nosuid\\\" mount option causes the system not to execute \\\"setuid\\\" and \\\"setgid\\\" files with owner privileges. This option must be used for mounting any file system not containing approved \\\"setuid\\\" and \\\"setguid\\\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false\"]", + "id": "V-244552", + "title": "RHEL 8 must not forward IPv4 source-routed packets by default.", + "desc": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.", "impact": 0.5, "descs": { - "check": "For systems that use BIOS, this is Not Applicable.\n\nVerify the /boot/efi directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot/efi\\s'\n\n/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot/efi file system does not have the \"nosuid\" option set, this is a finding.", - "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on the /boot/efi directory." + "check": "Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets by default with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_source_route=0" } }, - "V-244531": { + "V-244553": { "tags": { - "check_id": "C-47806r743840_chk", + "check_id": "C-47828r743906_chk", "severity": "medium", - "gid": "V-244531", - "rid": "SV-244531r743842_rule", - "stig_id": "RHEL-08-010731", + "gid": "V-244553", + "rid": "SV-244553r743908_rule", + "stig_id": "RHEL-08-040279", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47763r743841_fix", + "fix_id": "F-47785r743907_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1831,30 +3876,27 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244531" + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.", - "desc": "[\"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.false\"]", + "id": "V-244553", + "title": "RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.", + "desc": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.", "impact": 0.5, "descs": { - "check": "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\".\nFiles that begin with a \".\" are excluded from this requirement.\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR /home/smithj\n-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1\n-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3\n\nIf any files or directories are found with a mode more permissive than \"0750\", this is a finding.", - "fix": "Set the mode on files and directories in the local interactive user home directory with the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n$ sudo chmod 0750 /home/smithj/" + "check": "Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", + "fix": "Configure RHEL 8 to ignore IPv4 ICMP redirect messages with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_redirects = 0" } }, - "V-244532": { + "V-244554": { "tags": { - "check_id": "C-47807r743843_chk", + "check_id": "C-47829r743909_chk", "severity": "medium", - "gid": "V-244532", - "rid": "SV-244532r743845_rule", - "stig_id": "RHEL-08-010741", + "gid": "V-244554", + "rid": "SV-244554r743911_rule", + "stig_id": "RHEL-08-040286", "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47764r743844_fix", + "fix_id": "F-47786r743910_fix", + "documentable": false, "cci": [ "CCI-000366" ], @@ -1863,758 +3905,1662 @@ ] }, "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244532" + "DPMS Target Red Hat Enterprise Linux 8" ], - "title": "RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.", - "desc": "[\"If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.false\"]", + "id": "V-244554", + "title": "RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.", "impact": 0.5, "descs": { - "check": "Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member.\n\nCheck the group owner of all files and directories in a local interactive user's home directory with the following command:\n\nNote: The example will be for the user \"smithj\", who has a home directory of \"/home/smithj\".\n\n$ sudo ls -lLR ///\n-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1\n-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2\n-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3\n\nIf any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command:\n\n$ sudo grep smithj /etc/group\nsa:x:100:juan,shelley,bob,smithj \nsmithj:x:521:smithj\n\nIf any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.", - "fix": "Change the group of a local interactive user's files and directories to a group that the interactive user is a member. To change the group owner of a local interactive user's files and directories, use the following command:\n\nNote: The example will be for the user smithj, who has a home directory of \"/home/smithj\" and is a member of the users group.\n\n$ sudo chgrp smithj /home/smithj/" + "check": "Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.", + "fix": "Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" } }, - "V-244533": { + "V-245540": { "tags": { - "check_id": "C-47808r743846_chk", + "check_id": "C-48814r754728_chk", "severity": "medium", - "gid": "V-244533", - "rid": "SV-244533r743848_rule", - "stig_id": "RHEL-08-020025", - "gtitle": "SRG-OS-000021-GPOS-00005", - "fix_id": "F-47765r743847_fix", + "gid": "V-245540", + "rid": "SV-245540r754730_rule", + "stig_id": "RHEL-08-010001", + "gtitle": "SRG-OS-000191-GPOS-00080", + "fix_id": "F-48770r754729_fix", + "documentable": false, "cci": [ - "CCI-000044" + "CCI-001233" ], "nist": [ - "AC-7 a" + "SI-2 (2)" ] }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244533" - ], - "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\\n\\nIn RHEL 8.2 the \\\"/etc/security/faillock.conf\\\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \\\"local_users_only\\\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\\n\\nFrom \\\"faillock.conf\\\" man pages: Note that the default directory that \\\"pam_faillock\\\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \\\"dir\\\" option.\\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\\n\\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false\"]", - "impact": 0.5, + "refs": [ + "DPMS Target Red Hat Enterprise Linux 8" + ], + "id": "V-245540", + "title": "The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.", + "desc": "Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.", + "impact": 0.5, + "descs": { + "check": "Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nProcedure:\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", + "fix": "Install and enable the latest McAfee ENSLTP package." + } + } + }, + "changedControls": { + "V-230221": { + "tags": { + "check_id": { + "__old": "C-32890r567409_chk", + "__new": "C-32890r743912_chk" + }, + "rid": { + "__old": "SV-230221r627750_rule", + "__new": "SV-230221r743913_rule" + } + }, + "desc": { + "__old": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.", + "__new": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata." + }, + "descs": { + "check": { + "__old": "Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.1 (Ootpa)\n\nCurrent End of Maintenance Support for RHEL 8.1 is 30 April 2020.\n\nCurrent End of Maintenance Support for RHEL 8.2 is 30 November 2020.\n\nCurrent End of Maintenance Support for RHEL 8.3 is 30 April 2021.\n\nCurrent End of Maintenance Support for RHEL 8.4 is 30 November 2021.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 30 April 2022.\n\nCurrent End of Maintenance Support for RHEL 8.6 is 30 November 2022.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 30 April 2023.\n\nCurrent End of Maintenance Support for RHEL 8.8 is 30 November 2023.\n\nIf the release is not supported by the vendor, this is a finding.", + "__new": "Verify the version of the operating system is vendor supported.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.4 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 30 April 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 30 April 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 30 April 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 30 April 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 30 April 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding." + } + } + }, + "V-230222": {}, + "V-230223": {}, + "V-230224": {}, + "V-230225": {}, + "V-230226": { + "tags": { + "check_id": { + "__old": "C-32895r567424_chk", + "__new": "C-32895r743914_chk" + }, + "rid": { + "__old": "SV-230226r627750_rule", + "__new": "SV-230226r743916_rule" + }, + "fix_id": { + "__old": "F-32870r567425_fix", + "__new": "F-32870r743915_fix" + } + }, + "descs": { + "check": { + "__old": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck to see if the operating system displays a banner at the logon screen with the following command:\n\n$ sudo grep banner-message-enable /etc/dconf/db/local.d/*\n\nbanner-message-enable=true\n\nIf \"banner-message-enable\" is set to \"false\" or is missing, this is a finding.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "__new": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n$ sudo dconf update", + "__new": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n$ sudo dconf update" + } + } + }, + "V-230227": {}, + "V-230228": {}, + "V-230229": {}, + "V-230230": {}, + "V-230231": {}, + "V-230232": {}, + "V-230233": { + "tags": { + "check_id": { + "__old": "C-32902r567445_chk", + "__new": "C-32902r743917_chk" + }, + "rid": { + "__old": "SV-230233r627750_rule", + "__new": "SV-230233r743919_rule" + }, + "fix_id": { + "__old": "F-32877r567446_fix", + "__new": "F-32877r743918_fix" + } + }, + "title": { + "__old": "RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.", + "__new": "The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds." + }, + "descs": { + "check": { + "__old": "Check that a minimum number of hash rounds is configured by running the following commands:\n\n$ sudo grep rounds /etc/pam.d/password-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\n$ sudo grep rounds /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out in either file, this is a finding.", + "__new": "Check that a minimum number of hash rounds is configured by running the following command:\n\n$ sudo grep rounds /etc/pam.d/password-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"rounds\" has a value below \"5000\", or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" and \"etc/pam.d/system-auth\" files and set \"rounds\" to a value no lower than \"5000\":\n\npassword sufficient pam_unix.so sha512 rounds=5000", + "__new": "Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file and set \"rounds\" to a value no lower than \"5000\":\n\npassword sufficient pam_unix.so sha512 rounds=5000" + } + } + }, + "V-230234": { + "tags": { + "check_id": { + "__old": "C-32903r567448_chk", + "__new": "C-32903r743920_chk" + }, + "rid": { + "__old": "SV-230234r627750_rule", + "__new": "SV-230234r743922_rule" + }, + "fix_id": { + "__old": "F-32878r567449_fix", + "__new": "F-32878r743921_fix" + } + }, + "title": { + "__old": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.", + "__new": "RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance." + }, + "descs": { + "check": { + "__old": "For systems that use BIOS, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use UEFI, use the following command:\n\n$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that a unique account name is set as the \"superusers\":\n\n$ sudo grep -iw \"superusers\" /boot/efi/EFI/redhat/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", + "__new": "For systems that use BIOS, this is Not Applicable.\n\nCheck to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command:\n\n$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding." + }, + "fix": { + "__old": "Configure the system to require a grub bootloader password for the grub superuser account.\n\nGenerate an encrypted grub2 password for the grub superuser account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers", + "__new": "Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.\n\nGenerate an encrypted grub2 password for the grub superusers account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:" + } + } + }, + "V-230235": { + "tags": { + "check_id": { + "__old": "C-32904r567451_chk", + "__new": "C-32904r743923_chk" + }, + "rid": { + "__old": "SV-230235r627750_rule", + "__new": "SV-230235r743925_rule" + }, + "fix_id": { + "__old": "F-32879r567452_fix", + "__new": "F-32879r743924_fix" + } + }, + "descs": { + "check": { + "__old": "For systems that use UEFI, this is Not Applicable.\n\nCheck to see if an encrypted root password is set. On systems that use a BIOS, use the following command:\n\n$ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the root password does not begin with \"grub.pbkdf2.sha512\", this is a finding.\n\nVerify that a unique name is set as the \"superusers\":\n\n$ sudo grep -iw \"superusers\" /boot/grub2/grub.cfg\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nIf \"superusers\" is not set to a unique name or is missing a name, this is a finding.", + "__new": "For systems that use UEFI, this is Not Applicable.\n\nCheck to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:\n\n$ sudo grep -iw grub2_password /boot/grub2/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]\n\nIf the grub superusers password does not begin with \"grub.pbkdf2.sha512\", this is a finding." + }, + "fix": { + "__old": "Configure the system to require a grub bootloader password for the grub superuser account.\n\nGenerate an encrypted grub2 password for the grub superuser account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /boot/grub2/grub.cfg file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers", + "__new": "Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.\n\nGenerate an encrypted grub2 password for the grub superusers account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:" + } + } + }, + "V-230236": { + "tags": { + "check_id": { + "__old": "C-32905r567454_chk", + "__new": "C-32905r743926_chk" + }, + "rid": { + "__old": "SV-230236r627750_rule", + "__new": "SV-230236r743928_rule" + }, + "fix_id": { + "__old": "F-32880r567455_fix", + "__new": "F-32880r743927_fix" + } + }, + "title": { + "__old": "RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes.", + "__new": "RHEL 8 operating systems must require authentication upon booting into rescue mode." + }, + "descs": { + "check": { + "__old": "Check to see if the system requires authentication for rescue or emergency mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing, this is a finding.", + "__new": "Check to see if the system requires authentication for rescue mode with the following command:\n\n$ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue\n\nIf the \"ExecStart\" line is configured for anything other than \"/usr/lib/systemd/systemd-sulogin-shell rescue\", commented out, or missing, this is a finding." + }, + "fix": { + "__old": "Configure the system to require authentication upon booting into emergency or rescue mode by adding the following line to the \"/usr/lib/systemd/system/rescue.service\" file.\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue", + "__new": "Configure the system to require authentication upon booting into rescue mode by adding the following line to the \"/usr/lib/systemd/system/rescue.service\" file.\n\nExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + } + } + }, + "V-230237": { + "tags": { + "check_id": { + "__old": "C-32906r567457_chk", + "__new": "C-32906r743929_chk" + }, + "rid": { + "__old": "SV-230237r627750_rule", + "__new": "SV-230237r743931_rule" + }, + "fix_id": { + "__old": "F-32881r567458_fix", + "__new": "F-32881r743930_fix" + } + }, + "title": { + "__old": "The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.", + "__new": "The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." + }, + "descs": { + "check": { + "__old": "Verify that pam_unix.so auth is configured to use sha512.\n\nCheck that pam_unix.so auth is configured to use sha512 in both /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\n$ sudo grep password /etc/pam.d/system-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is not an option in both outputs, or is commented out, this is a finding.", + "__new": "Verify that the pam_unix.so module is configured to use sha512.\n\nCheck that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ sudo grep password /etc/pam.d/password-auth | grep pam_unix\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf \"sha512\" is missing, or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the file \"/etc/pam.d/password-auth\" and \"/etc/pam.d/system-auth\" files to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512 rounds=5000 shadow remember=5", + "__new": "Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512 rounds=5000" + } + } + }, + "V-230238": {}, + "V-230239": {}, + "V-230240": {}, + "V-230241": {}, + "V-230242": {}, + "V-230243": {}, + "V-230244": { + "tags": { + "check_id": { + "__old": "C-32913r567478_chk", + "__new": "C-32913r743932_chk" + }, + "rid": { + "__old": "SV-230244r627750_rule", + "__new": "SV-230244r743934_rule" + }, + "fix_id": { + "__old": "F-32888r567479_fix", + "__new": "F-32888r743933_fix" + } + }, + "desc": { + "__old": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" are used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. The default setting for \"ClientAliveCountMax\" is \"3\". If \"ClientAliveInterval is set to \"15\" and \"ClientAliveCountMax\" is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds.\n\n", + "__new": "Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nRHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of \"ClientAliveInterval\" and \"ClientAliveCountMax\" are used to establish the inactivity threshold. The \"ClientAliveInterval\" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The \"ClientAliveCountMax\" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.\n\n" + }, + "descs": { + "check": { + "__old": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveInterval\" variable is set to a value of \"600\" or less and that the \"ClientAliveCountMax\" is set to \"0\" by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveInterval\" and \"ClientAliveCountMax\" do not exist, does not have a product value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding.", + "__new": "Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveCountMax\" is set to \"0\" by performing the following command:\n\n$ sudo grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIf \"ClientAliveCountMax\" do not exist, is not set to a value of \"0\" in \"/etc/ssh/sshd_config\", or is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file to have a product value of \"600\" or less:\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n$ sudo systemctl restart sshd.service", + "__new": "Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveCountMax 0\n\nIn order for the changes to take effect, the SSH daemon must be restarted.\n\n$ sudo systemctl restart sshd.service" + } + } + }, + "V-230245": {}, + "V-230246": {}, + "V-230247": {}, + "V-230248": {}, + "V-230249": {}, + "V-230250": {}, + "V-230251": { + "tags": { + "check_id": { + "__old": "C-32920r646865_chk", + "__new": "C-32920r743935_chk" + }, + "rid": { + "__old": "SV-230251r646866_rule", + "__new": "SV-230251r743937_rule" + }, + "fix_id": { + "__old": "F-32895r567500_fix", + "__new": "F-32895r743936_fix" + } + }, + "title": { + "__old": "The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.", + "__new": "The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." + }, + "desc": { + "__old": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.\n\nBy specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.\n\n", + "__new": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.\n\n" + }, + "descs": { + "check": { + "__old": "Verify the SSH daemon is configured to use only MACs employing FIPS 140-2-approved algorithms:\n\nVerify that system-wide crypto policies are in effect:\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n\n# crypto_policy=\n\nIf the \"crypto_policy\" is uncommented, this is a finding.\n\nVerify which system-wide crypto policy is in use:\n\n$ sudo update-crypto-policies --show\n\nFIPS\n\nCheck that the MACs in the back-end configurations are FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config\n\n/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'\n\nIf the MAC entries in the \"openssh.config\" and \"opensshserver.config\" files have any hashes other than \"hmac-sha2-512\" and \"hmac-sha2-256\", the order differs from the example above, if they are missing, or commented out, this is a finding.", + "__new": "Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config\n\n-oMACS=hmac-sha2-512,hmac-sha2-256\n\nIf the MACs entries in the \"opensshserver.config\" file have any hashes other than \"hmac-sha2-512\" and \"hmac-sha2-256\", the order differs from the example above, they are missing, or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the RHEL 8 SSH daemon to use only MACs employing FIPS 140-2-approved algorithms with the following commands:\n\n$ sudo fips-mode-setup --enable\n\nNext, update the \"/etc/crypto-policies/back-ends/openssh.config\" \nand \"/etc/crypto-policies/back-ends/opensshserver.config\" files to include these MACs employing FIPS 140-2-approved algorithms:\n\n/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256'\n\nA reboot is required for the changes to take effect.", + "__new": "Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oMACS=hmac-sha2-512,hmac-sha2-256\n\nA reboot is required for the changes to take effect." + } + } + }, + "V-230252": { + "tags": { + "check_id": { + "__old": "C-32921r646867_chk", + "__new": "C-32921r743938_chk" + }, + "rid": { + "__old": "SV-230252r646869_rule", + "__new": "SV-230252r743940_rule" + }, + "fix_id": { + "__old": "F-32896r646868_fix", + "__new": "F-32896r743939_fix" + } + }, + "title": { + "__old": "The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.", + "__new": "The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections." + }, + "desc": { + "__old": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.\n\nBy specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.\n\n", + "__new": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nRHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.\n\nThe system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.\n\n" + }, + "descs": { + "check": { + "__old": "Verify the SSH daemon is configured to use only ciphers employing FIPS 140-2-approved algorithms:\n\nVerify that system-wide crypto policies are in effect:\n\n$ sudo grep -i crypto_policy /etc/sysconfig/sshd\n\n# crypto_policy=\n\nIf the \"crypto_policy\" is uncommented, this is a finding.\n\nVerify which system-wide crypto policy is in use:\n\n$ sudo update-crypto-policies --show\n\nFIPS\n\nCheck that the ciphers in the back-end configurations are FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config\n\n/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n\nIf the cipher entries in the \"openssh.config\" and \"opensshserver.config\" files have any ciphers other than \"aes256-ctr,aes192-ctr,aes128-ctr\", the order differs from the example above, if they are missing, or commented out, this is a finding.", + "__new": "Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config\n\nCRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n\nIf the cipher entries in the \"opensshserver.config\" file have any ciphers other than \"aes256-ctr,aes192-ctr,aes128-ctr\", the order differs from the example above, they are missing, or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the RHEL 8 SSH daemon to use only ciphers employing FIPS 140-2-approved algorithms with the following command:\n\n$ sudo fips-mode-setup --enable\n\nNext, update the \"/etc/crypto-policies/back-ends/openssh.config\" and \"/etc/crypto-policies/back-ends/opensshserver.config\" files to include these ciphers employing FIPS 140-2-approved algorithms:\n\n/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr'\n\nA reboot is required for the changes to take effect.", + "__new": "Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the \"/etc/crypto-policies/back-ends/opensshserver.config\" file with the following line:\n\n-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr\n\nA reboot is required for the changes to take effect." + } + } + }, + "V-230253": {}, + "V-230254": {}, + "V-230255": {}, + "V-230256": {}, + "V-230257": {}, + "V-230258": {}, + "V-230259": {}, + "V-230260": {}, + "V-230261": {}, + "V-230262": {}, + "V-230263": {}, + "V-230264": {}, + "V-230265": {}, + "V-230266": {}, + "V-230267": {}, + "V-230268": {}, + "V-230269": {}, + "V-230270": {}, + "V-230271": {}, + "V-230272": {}, + "V-230273": { + "tags": { + "check_id": { + "__old": "C-32942r567565_chk", + "__new": "C-32942r743941_chk" + }, + "rid": { + "__old": "SV-230273r627750_rule", + "__new": "SV-230273r743943_rule" + }, + "fix_id": { + "__old": "F-32917r567566_fix", + "__new": "F-32917r743942_fix" + } + }, + "descs": { + "check": { + "__old": "Verify the operating system has the packages required for multifactor authentication installed with the following commands:\n\n$ sudo yum list installed esc openssl-pkcs11\n\nesc.x86_64 1.1.2-7.el8 @AppStream\nopenssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\nIf the \"esc\" and \"openssl-pkcs11\" packages are not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.", + "__new": "Verify the operating system has the packages required for multifactor authentication installed with the following commands:\n\n$ sudo yum list installed openssl-pkcs11\n\nopenssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda\n\nIf the \"openssl-pkcs11\" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to implement multifactor authentication by installing the required packages with the following command:\n\n$ sudo yum install esc openssl-pkcs11", + "__new": "Configure the operating system to implement multifactor authentication by installing the required package with the following command:\n\n$ sudo yum install openssl-pkcs11" + } + } + }, + "V-230274": { + "tags": { + "check_id": { + "__old": "C-32943r567568_chk", + "__new": "C-32943r743944_chk" + }, + "rid": { + "__old": "SV-230274r627750_rule", + "__new": "SV-230274r743945_rule" + } + }, + "descs": { + "check": { + "__old": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.", + "__new": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding." + } + } + }, + "V-230275": {}, + "V-230276": {}, + "V-230277": {}, + "V-230278": { + "tags": { + "check_id": { + "__old": "C-32947r567580_chk", + "__new": "C-32947r743946_chk" + }, + "rid": { + "__old": "SV-230278r627750_rule", + "__new": "SV-230278r743948_rule" + }, + "fix_id": { + "__old": "F-32922r567581_fix", + "__new": "F-32922r743947_fix" + } + }, + "desc": { + "__old": "Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.\n\nVirtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns.\n\n", + "__new": "Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense.\n\nVirtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly.\n\n" + }, + "descs": { + "check": { + "__old": "Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv - list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates: \n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out, this is a finding.", + "__new": "Verify that GRUB 2 is configured to disable vsyscalls with the following commands:\n\nCheck that the current GRUB 2 configuration disables vsyscalls:\n\n$ sudo grub2-editenv - list | grep vsyscall\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf \"vsyscall\" is not set to \"none\" or is missing, this is a finding.\n\nCheck that vsyscalls are disabled by default to persist in kernel updates: \n\n$ sudo grep vsyscall /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"\n\nIf \"vsyscall\" is not set to \"none\", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to disable vsyscalls with the following commands:\n\n$ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"", + "__new": "Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command:\n\n$ sudo grubby --update-kernel=ALL --args=\"vsyscall=none\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"vsyscall=none\"" + } + } + }, + "V-230279": {}, + "V-230280": {}, + "V-230281": {}, + "V-230282": {}, + "V-230283": {}, + "V-230284": {}, + "V-230285": {}, + "V-230286": {}, + "V-230287": { + "tags": { + "check_id": { + "__old": "C-32956r567607_chk", + "__new": "C-32956r743949_chk" + }, + "rid": { + "__old": "SV-230287r627750_rule", + "__new": "SV-230287r743951_rule" + }, + "fix_id": { + "__old": "F-32931r567608_fix", + "__new": "F-32931r743950_fix" + } + }, + "title": { + "__old": "The RHEL 8 SSH private host key files must have mode 0640 or less permissive.", + "__new": "The RHEL 8 SSH private host key files must have mode 0600 or less permissive." + }, + "descs": { + "check": { + "__old": "Verify the SSH private host key files have mode \"0640\" or less permissive with the following command:\n\n$ sudo ls -l /etc/ssh/ssh_host*key\n\n-rw------- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0640\", this is a finding.", + "__new": "Verify the SSH private host key files have mode \"0600\" or less permissive with the following command:\n\n$ sudo ls -l /etc/ssh/ssh_host*key\n\n-rw------- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any private host key file has a mode more permissive than \"0600\", this is a finding." + }, + "fix": { + "__old": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n$ sudo chmod 0640 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service", + "__new": "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0600\" with the following command:\n\n$ sudo chmod 0600 /etc/ssh/ssh_host*key\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + } + }, + "V-230288": {}, + "V-230289": { + "tags": { + "check_id": { + "__old": "C-32958r567613_chk", + "__new": "C-32958r743952_chk" + }, + "rid": { + "__old": "SV-230289r627750_rule", + "__new": "SV-230289r743954_rule" + }, + "fix_id": { + "__old": "F-32933r567614_fix", + "__new": "F-32933r743953_fix" + } + }, + "descs": { + "check": { + "__old": "Verify the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n$ sudo grep -i compression /etc/ssh/sshd_config\n\nCompression no\n\nIf the \"Compression\" keyword is set to \"yes\", \"delayed\", is missing, or the returned line is commented out, this is a finding.", + "__new": "Verify the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n$ sudo grep -i compression /etc/ssh/sshd_config\n\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding." + }, + "fix": { + "__old": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect.", + "__new": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect." + } + } + }, + "V-230290": {}, + "V-230291": { + "tags": { + "check_id": { + "__old": "C-32960r567619_chk", + "__new": "C-32960r743955_chk" + }, + "rid": { + "__old": "SV-230291r627750_rule", + "__new": "SV-230291r743957_rule" + }, + "fix_id": { + "__old": "F-32935r567620_fix", + "__new": "F-32935r743956_fix" + } + }, + "title": { + "__old": "The RHEL 8 SSH daemon must not allow unused methods of authentication.", + "__new": "The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements." + }, + "descs": { + "check": { + "__old": "Verify the SSH daemon does not allow authentication using unused methods of authentication with the following command:\n\n$ sudo grep -i \"KerberosAuthentication\\|GSSAPIAuthentication\" /etc/ssh/sshd_config\n\nKerberosAuthentication no\nGSSAPIAuthentication no\n\nIf the values are returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.", + "__new": "Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding." + }, + "fix": { + "__old": "Configure the SSH daemon to not allow authentication using unused methods of authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nKerberosAuthentication no\nGSSAPIAuthentication no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service", + "__new": "Configure the SSH daemon to not allow Kerberos authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } + } + }, + "V-230292": {}, + "V-230293": {}, + "V-230294": {}, + "V-230295": {}, + "V-230296": {}, + "V-230297": {}, + "V-230298": {}, + "V-230299": {}, + "V-230300": { + "tags": { + "check_id": { + "__old": "C-32969r567646_chk", + "__new": "C-32969r743958_chk" + }, + "rid": { + "__old": "SV-230300r627750_rule", + "__new": "SV-230300r743959_rule" + } + }, + "descs": { + "check": { + "__old": "Verify the /boot directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot\\s'\n\n/dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot file system does not have the \"nosuid\" option set, this is a finding.", + "__new": "For systems that use UEFI, this is Not Applicable.\n\nVerify the /boot directory is mounted with the \"nosuid\" option with the following command:\n\n$ sudo mount | grep '\\s/boot\\s'\n\n/dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot file system does not have the \"nosuid\" option set, this is a finding." + } + } + }, + "V-230301": {}, + "V-230302": {}, + "V-230303": {}, + "V-230304": {}, + "V-230305": {}, + "V-230306": {}, + "V-230307": {}, + "V-230308": {}, + "V-230309": {}, + "V-230310": {}, + "V-230311": {}, + "V-230312": {}, + "V-230313": {}, + "V-230314": {}, + "V-230315": {}, + "V-230316": {}, + "V-230317": {}, + "V-230318": { + "tags": { + "rid": { + "__old": "SV-230318r627750_rule", + "__new": "SV-230318r743960_rule" + } + }, + "title": { + "__old": "All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group.", + "__new": "All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user." + }, + "desc": { + "__old": "If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "__new": "If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access." + } + }, + "V-230319": { + "tags": { + "rid": { + "__old": "SV-230319r627750_rule", + "__new": "SV-230319r743961_rule" + } + }, + "desc": { + "__old": "If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.", + "__new": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access." + } + }, + "V-230320": {}, + "V-230321": {}, + "V-230322": { + "tags": { + "check_id": { + "__old": "C-32991r567712_chk", + "__new": "C-32991r743962_chk" + }, + "rid": { + "__old": "SV-230322r627750_rule", + "__new": "SV-230322r743963_rule" + } + }, + "descs": { + "check": { + "__old": "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n$ sudo grep admin /etc/group\n\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding.", + "__new": "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/smithj\" is used as an example.\n\n$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n\ndrwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj\n\nCheck the user's primary group with the following command:\n\n$ sudo grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group\n\nadmin:x:250:smithj,jonesj,jacksons\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding." + } + } + }, + "V-230323": {}, + "V-230324": {}, + "V-230325": {}, + "V-230326": {}, + "V-230327": {}, + "V-230328": {}, + "V-230329": {}, + "V-230330": {}, + "V-230331": {}, + "V-230332": {}, + "V-230333": { + "tags": { + "check_id": { + "__old": "C-33002r567745_chk", + "__new": "C-33002r743964_chk" + }, + "rid": { + "__old": "SV-230333r627750_rule", + "__new": "SV-230333r743966_rule" + }, + "fix_id": { + "__old": "F-32977r567746_fix", + "__new": "F-32977r743965_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system locks an account after three unsuccessful logon attempts with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts:\n\n$ sudo grep 'deny =' /etc/security/faillock.conf\n\ndeny = 3\n\nIf the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts:\n\n$ sudo grep 'deny =' /etc/security/faillock.conf\n\ndeny = 3\n\nIf the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to lock an account when three unsuccessful logon attempts occur.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndeny = 3", + "__new": "Configure the operating system to lock an account when three unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndeny = 3" + } + } + }, + "V-230334": {}, + "V-230335": { + "tags": { + "check_id": { + "__old": "C-33004r567751_chk", + "__new": "C-33004r743967_chk" + }, + "rid": { + "__old": "SV-230335r627750_rule", + "__new": "SV-230335r743969_rule" + }, + "fix_id": { + "__old": "F-32979r567752_fix", + "__new": "F-32979r743968_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes:\n\n$ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\nfail_interval = 900\n\nIf the \"fail_interval\" option is not set to \"900\" or less (but not \"0\"), is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes:\n\n$ sudo grep 'fail_interval =' /etc/security/faillock.conf\n\nfail_interval = 900\n\nIf the \"fail_interval\" option is not set to \"900\" or more, is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nfail_interval = 900", + "__new": "Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nfail_interval = 900" + } + } + }, + "V-230336": {}, + "V-230337": { + "tags": { + "check_id": { + "__old": "C-33006r567757_chk", + "__new": "C-33006r743970_chk" + }, + "rid": { + "__old": "SV-230337r627750_rule", + "__new": "SV-230337r743972_rule" + }, + "fix_id": { + "__old": "F-32981r567758_fix", + "__new": "F-32981r743971_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts:\n\n$ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\nunlock_time = 0\n\nIf the \"unlock_time\" option is not set to \"0\", is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts:\n\n$ sudo grep 'unlock_time =' /etc/security/faillock.conf\n\nunlock_time = 0\n\nIf the \"unlock_time\" option is not set to \"0\", is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nunlock_time = 0", + "__new": "Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nunlock_time = 0" + } + } + }, + "V-230338": {}, + "V-230339": { + "tags": { + "check_id": { + "__old": "C-33008r619903_chk", + "__new": "C-33008r743973_chk" + }, + "rid": { + "__old": "SV-230339r627750_rule", + "__new": "SV-230339r743975_rule" + }, + "fix_id": { + "__old": "F-32983r567764_fix", + "__new": "F-32983r743974_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the faillock directory contents persist after a reboot with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured use a non-default faillock directory to ensure contents persist after reboot:\n\n$ sudo grep 'dir =' /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured use a non-default faillock directory to ensure contents persist after reboot:\n\n$ sudo grep 'dir =' /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system maintain the contents of the faillock directory after a reboot.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock", + "__new": "Configure the operating system maintain the contents of the faillock directory after a reboot.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock" + } + } + }, + "V-230340": {}, + "V-230341": { + "tags": { + "check_id": { + "__old": "C-33010r567769_chk", + "__new": "C-33010r743976_chk" + }, + "rid": { + "__old": "SV-230341r627750_rule", + "__new": "SV-230341r743978_rule" + }, + "fix_id": { + "__old": "F-32985r567770_fix", + "__new": "F-32985r743977_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system prevents informative messages from being presented to the user pertaining to logon information with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to prevent informative messages from being presented at logon attempts:\n\n$ sudo grep silent /etc/security/faillock.conf\n\nsilent\n\nIf the \"silent\" option is not set, is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to prevent informative messages from being presented at logon attempts:\n\n$ sudo grep silent /etc/security/faillock.conf\n\nsilent\n\nIf the \"silent\" option is not set, is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent informative messages from being presented at logon attempts.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nsilent", + "__new": "Configure the operating system to prevent informative messages from being presented at logon attempts.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\nsilent" + } + } + }, + "V-230342": {}, + "V-230343": { + "tags": { + "check_id": { + "__old": "C-33012r567775_chk", + "__new": "C-33012r743979_chk" + }, + "rid": { + "__old": "SV-230343r627750_rule", + "__new": "SV-230343r743981_rule" + }, + "fix_id": { + "__old": "F-32987r567776_fix", + "__new": "F-32987r743980_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system logs user name information when unsuccessful logon attempts occur with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep audit /etc/security/faillock.conf\n\naudit\n\nIf the \"audit\" option is not set, is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep audit /etc/security/faillock.conf\n\naudit\n\nIf the \"audit\" option is not set, is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to log user name information when unsuccessful logon attempts occur.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\naudit", + "__new": "Configure the operating system to log user name information when unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\naudit" + } + } + }, + "V-230344": {}, + "V-230345": { + "tags": { + "check_id": { + "__old": "C-33014r567781_chk", + "__new": "C-33014r743982_chk" + }, + "rid": { + "__old": "SV-230345r627750_rule", + "__new": "SV-230345r743984_rule" + }, + "fix_id": { + "__old": "F-32989r567782_fix", + "__new": "F-32989r743983_fix" + } + }, + "descs": { + "check": { + "__old": "Check that the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands:\n\nNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth\n\n/etc/pam.d/system-auth:auth required pam_faillock.so preauth\n/etc/pam.d/system-auth:auth required pam_faillock.so authfail\n/etc/pam.d/system-auth:account required pam_faillock.so\n/etc/pam.d/password-auth:auth required pam_faillock.so preauth\n/etc/pam.d/password-auth:auth required pam_faillock.so authfail\n/etc/pam.d/password-auth:account required pam_faillock.so preauth\n\nIf the pam_failllock.so module is not present in the \"/etc/pam.d/system-auth\" and \" /etc/pam.d/password-auth\" files, this is a finding.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep even_deny_root /etc/security/faillock.conf\n\neven_deny_root\n\nIf the \"even_deny_root\" option is not set, is missing or commented out, this is a finding.", + "__new": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep even_deny_root /etc/security/faillock.conf\n\neven_deny_root\n\nIf the \"even_deny_root\" option is not set, is missing or commented out, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" files to match the following lines:\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\neven_deny_root", + "__new": "Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\neven_deny_root" + } + } + }, + "V-230346": {}, + "V-230347": {}, + "V-230348": { + "tags": { + "check_id": { + "__old": "C-33017r567790_chk", + "__new": "C-33017r743985_chk" + }, + "rid": { + "__old": "SV-230348r627750_rule", + "__new": "SV-230348r743987_rule" + }, + "fix_id": { + "__old": "F-32992r567791_fix", + "__new": "F-32992r743986_fix" + } + }, + "descs": { + "check": { + "__old": "Verify the operating system enables the user to initiate a session lock on command. \n\nVerify RHEL 8 has the \"tmux\" package installed, by running the following command:\n\n$ sudo yum list installed tmux\n\ntmux.x86.64 2.7-1.el8 @repository\n\nIf \"tmux\" is not installed, this is a finding.\n\nNext verify that the lock-command is set in the global settings of tmux with the following command:\n\n$ sudo grep -i lock-command /etc/tmux.conf\n\nset -g lock-command vlock\n\nIf the \"lock-command\" is not set in the global settings to call \"vlock\", this is a finding.", + "__new": "Verify the operating system enables the user to initiate a session lock with the following command:\n\n$ sudo grep -i lock-command /etc/tmux.conf\n\nset -g lock-command vlock\n\nIf the \"lock-command\" is not set in the global settings to call \"vlock\", this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enable a user to initiate a session lock via tmux.\n\nInstall the \"tmux\" package, if it is not already installed, by running the following command:\n\n$ sudo yum install tmux\n\nOnce installed, create a global configuration file \"/etc/tmux.conf\" and add the following line:\n\nset -g lock-command vlock", + "__new": "Configure the operating system to enable a user to initiate a session lock via tmux.\n\nCreate a global configuration file \"/etc/tmux.conf\" and add the following line:\n\nset -g lock-command vlock" + } + } + }, + "V-230349": {}, + "V-230350": {}, + "V-230351": {}, + "V-230352": {}, + "V-230353": {}, + "V-230354": { + "tags": { + "check_id": { + "__old": "C-33023r567808_chk", + "__new": "C-33023r743988_chk" + }, + "rid": { + "__old": "SV-230354r627750_rule", + "__new": "SV-230354r743990_rule" + }, + "fix_id": { + "__old": "F-32998r567809_fix", + "__new": "F-32998r743989_fix" + } + }, + "title": { + "__old": "RHEL 8 must prevent a user from overriding graphical user interface settings.", + "__new": "RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface." + }, "descs": { - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", - "fix": "Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so" + "check": { + "__old": "Verify the operating system prevents a user from overriding graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i 'idle\\|lock\\|log\\|user\\|banner' /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n/org/gnome/desktop/screensaver/lock-enabled\n/org/gnome/desktop/screensaver/lock-delay\n/org/gnome/settings-daemon/plugins/media-keys/logout\n/org/gnome/login-screen/disable-user-list\n/org/gnome/login-screen/banner-message-text\n/org/gnome/login-screen/banner-message-enable\n/org/gnome/desktop/lockdown/disable-lock-screen\n\nIf the command does not return at least the example result, this is a finding.", + "__new": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-delay\n\nIf the command does not return at least the example result, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following settings to prevent non-privileged users from modifying them:\n\n/org/gnome/desktop/session/idle-delay\n/org/gnome/desktop/screensaver/lock-enabled\n/org/gnome/desktop/screensaver/lock-delay\n/org/gnome/settings-daemon/plugins/media-keys/logout\n/org/gnome/login-screen/disable-user-list\n/org/gnome/login-screen/banner-message-text\n/org/gnome/login-screen/banner-message-enable\n/org/gnome/desktop/lockdown/disable-lock-screen", + "__new": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/screensaver/lock-delay" + } } }, - "V-244534": { + "V-230355": {}, + "V-230356": {}, + "V-230357": {}, + "V-230358": {}, + "V-230359": {}, + "V-230360": {}, + "V-230361": {}, + "V-230362": {}, + "V-230363": {}, + "V-230364": {}, + "V-230365": {}, + "V-230366": {}, + "V-230367": {}, + "V-230368": {}, + "V-230369": {}, + "V-230370": {}, + "V-230371": {}, + "V-230372": {}, + "V-230373": {}, + "V-230374": {}, + "V-230375": {}, + "V-230376": {}, + "V-230377": {}, + "V-230378": {}, + "V-230379": {}, + "V-230380": { "tags": { - "check_id": "C-47809r743849_chk", - "severity": "medium", - "gid": "V-244534", - "rid": "SV-244534r743851_rule", - "stig_id": "RHEL-08-020026", - "gtitle": "SRG-OS-000021-GPOS-00005", - "fix_id": "F-47766r743850_fix", - "cci": [ - "CCI-000044" - ], - "nist": [ - "AC-7 a" - ] + "check_id": { + "__old": "C-33049r567886_chk", + "__new": "C-33049r743991_chk" + }, + "rid": { + "__old": "SV-230380r627750_rule", + "__new": "SV-230380r743993_rule" + }, + "fix_id": { + "__old": "F-33024r567887_fix", + "__new": "F-33024r743992_fix" + } + }, + "title": { + "__old": "RHEL 8 must not have accounts configured with blank or null passwords.", + "__new": "RHEL 8 must not allow accounts configured with blank or null passwords." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244534" - ], - "title": "RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.", - "desc": "[\"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\\n\\nIn RHEL 8.2 the \\\"/etc/security/faillock.conf\\\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \\\"local_users_only\\\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\\n\\nFrom \\\"faillock.conf\\\" man pages: Note that the default directory that \\\"pam_faillock\\\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \\\"dir\\\" option.\\nThe preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password.\\n\\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false\"]", - "impact": 0.5, "descs": { - "check": "Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.\n\nVerify the pam_faillock.so module is present in the \"/etc/pam.d/password-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/password-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/password-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.", - "fix": "Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/password-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so" + "check": { + "__old": "To verify that null passwords cannot be used, run the following commands:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\n$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", or If null passwords can be used, this is a finding.\n\nNote: Manual changes to the listed files may be overwritten by the \"authselect\" program.", + "__new": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config\n\nPermitEmptyPasswords no\n\nIf \"PermitEmptyPasswords\" is set to \"yes\", this is a finding." + }, + "fix": { + "__old": "Remove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" and add or edit the following line in \"etc/ssh/sshd_config\" to prevent logons with empty passwords.\n\nPermitEmptyPasswords no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service\n\nNote: Manual changes to the listed files may be overwritten by the \"authselect\" program.", + "__new": "Edit the following line in \"etc/ssh/sshd_config\" to prevent logons with empty passwords.\n\nPermitEmptyPasswords no\n\nThe SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:\n\n$ sudo systemctl restart sshd.service" + } } }, - "V-244535": { + "V-230381": {}, + "V-230382": {}, + "V-230383": {}, + "V-230384": {}, + "V-230385": {}, + "V-230386": {}, + "V-230387": { "tags": { - "check_id": "C-47810r743852_chk", - "severity": "medium", - "gid": "V-244535", - "rid": "SV-244535r743854_rule", - "stig_id": "RHEL-08-020031", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-47767r743853_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id": { + "__old": "C-33056r567907_chk", + "__new": "C-33056r743994_chk" + }, + "rid": { + "__old": "SV-230387r627750_rule", + "__new": "SV-230387r743996_rule" + }, + "fix_id": { + "__old": "F-33031r567908_fix", + "__new": "F-33031r743995_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244535" - ], - "title": "RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.desktop.screensaver lock-delay\n\nuint32 5\n\nIf the \"uint32\" setting is missing, or is not set to \"5\" or less, this is a finding.", - "fix": "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n$ sudo dconf update" + "check": { + "__old": "Verify that \"rsyslog\" is configured to log cron events with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n$ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n/etc/rsyslog.conf:# Log cron stuff\n/etc/rsyslog.conf:cron.* /var/log/cron.log\n\nIf the command does not return a response, check for cron logging all facilities with the following command.\n\n$ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", + "__new": "Verify that \"rsyslog\" is configured to log cron events with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n$ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n/etc/rsyslog.conf:# Log cron stuff\n/etc/rsyslog.conf:cron.* /var/log/cron\n\nIf the command does not return a response, check for cron logging all facilities with the following command.\n\n$ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding." + }, + "fix": { + "__old": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron.log", + "__new": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron\n\nThe rsyslog daemon must be restarted for the changes to take effect:\n$ sudo systemctl restart rsyslog.service" + } } }, - "V-244536": { + "V-230388": {}, + "V-230389": {}, + "V-230390": {}, + "V-230391": { "tags": { - "check_id": "C-47811r743855_chk", - "severity": "medium", - "gid": "V-244536", - "rid": "SV-244536r743857_rule", - "stig_id": "RHEL-08-020032", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47768r743856_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "rid": { + "__old": "SV-230391r627750_rule", + "__new": "SV-230391r743998_rule" + }, + "fix_id": { + "__old": "F-33035r567920_fix", + "__new": "F-33035r743997_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244536" - ], - "title": "RHEL 8 must disable the user list at logon for graphical user interfaces.", - "desc": "[\"Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system disables the user logon list for graphical user interfaces with the following command:\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.login-screen disable-user-list\ntrue\n\nIf the setting is \"false\", this is a finding.", - "fix": "Configure the operating system to disable the user list at logon for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n[org/gnome/login-screen]\ndisable-user-list=true\n\nUpdate the system databases:\n$ sudo dconf update" + "fix": { + "__old": "Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the \"max_log_file_action\" parameter in the \"/etc/audit/auditd.conf\" file with the a value of \"syslog\" or \"keep_logs\":\n\nmax_log_file_action=syslog", + "__new": "Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the \"max_log_file_action\" parameter in the \"/etc/audit/auditd.conf\" file with the a value of \"syslog\" or \"keep_logs\":\n\nmax_log_file_action = syslog" + } } }, - "V-244537": { + "V-230392": {}, + "V-230393": {}, + "V-230394": {}, + "V-230395": {}, + "V-230396": {}, + "V-230397": {}, + "V-230398": {}, + "V-230399": {}, + "V-230400": {}, + "V-230401": {}, + "V-230402": {}, + "V-230403": {}, + "V-230404": {}, + "V-230405": {}, + "V-230406": {}, + "V-230407": {}, + "V-230408": {}, + "V-230409": {}, + "V-230410": {}, + "V-230411": { "tags": { - "check_id": "C-47812r743858_chk", - "severity": "medium", - "gid": "V-244537", - "rid": "SV-244537r743860_rule", - "stig_id": "RHEL-08-020039", - "gtitle": "SRG-OS-000028-GPOS-00009", - "fix_id": "F-47769r743859_fix", - "cci": [ - "CCI-000056" - ], - "nist": [ - "AC-11 b" - ] + "check_id": { + "__old": "C-33080r646879_chk", + "__new": "C-33080r743999_chk" + }, + "rid": { + "__old": "SV-230411r646881_rule", + "__new": "SV-230411r744000_rule" + } + }, + "title": { + "__old": "RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.", + "__new": "The RHEL 8 audit package must be installed." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244537" - ], - "title": "RHEL 8 must have the tmux package installed.", - "desc": "[\"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\\n\\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 has the \"tmux\" package installed, by running the following command:\n\n$ sudo yum list installed tmux\n\ntmux.x86.64 2.7-1.el8 @repository\n\nIf \"tmux\" is not installed, this is a finding.", - "fix": "Configure the operating system to enable a user to initiate a session lock via tmux.\n\nInstall the \"tmux\" package, if it is not already installed, by running the following command:\n\n$ sudo yum install tmux" + "check": { + "__old": "Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed properly with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding.", + "__new": "Verify the audit service is configured to produce audit records.\n\nCheck that the audit service is installed with the following command:\n\n$ sudo yum list installed audit\n\nIf the \"audit\" package is not installed, this is a finding." + } } }, - "V-244538": { + "V-230412": {}, + "V-230413": {}, + "V-230414": {}, + "V-230415": {}, + "V-230416": {}, + "V-230417": {}, + "V-230418": {}, + "V-230419": {}, + "V-230420": {}, + "V-230421": {}, + "V-230422": {}, + "V-230423": {}, + "V-230424": {}, + "V-230425": {}, + "V-230426": {}, + "V-230427": {}, + "V-230428": {}, + "V-230429": {}, + "V-230430": {}, + "V-230431": {}, + "V-230432": {}, + "V-230433": {}, + "V-230434": { "tags": { - "check_id": "C-47813r743861_chk", - "severity": "medium", - "gid": "V-244538", - "rid": "SV-244538r743863_rule", - "stig_id": "RHEL-08-020081", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-47770r743862_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "rid": { + "__old": "SV-230434r627750_rule", + "__new": "SV-230434r744002_rule" + }, + "fix_id": { + "__old": "F-33078r568049_fix", + "__new": "F-33078r744001_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244538" - ], - "title": "RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\\n\\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i idle /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/session/idle-delay\n\nIf the command does not return at least the example result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/session/idle-delay" + "fix": { + "__old": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-keysign\" by adding or updating the following rule in the \"/etc/audit/audit.rules\" file:\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect.", + "__new": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"ssh-keysign\" by adding or updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh\n\nThe audit daemon must be restarted for the changes to take effect." + } } }, - "V-244539": { + "V-230435": {}, + "V-230436": {}, + "V-230437": {}, + "V-230438": {}, + "V-230439": {}, + "V-230440": {}, + "V-230441": {}, + "V-230442": {}, + "V-230443": {}, + "V-230444": {}, + "V-230445": {}, + "V-230446": {}, + "V-230447": {}, + "V-230448": {}, + "V-230449": {}, + "V-230450": {}, + "V-230451": {}, + "V-230452": {}, + "V-230453": {}, + "V-230454": {}, + "V-230455": {}, + "V-230456": {}, + "V-230457": {}, + "V-230458": {}, + "V-230459": {}, + "V-230460": {}, + "V-230461": {}, + "V-230462": {}, + "V-230463": {}, + "V-230464": {}, + "V-230465": {}, + "V-230466": {}, + "V-230467": {}, + "V-230468": {}, + "V-230469": { "tags": { - "check_id": "C-47814r743864_chk", - "severity": "medium", - "gid": "V-244539", - "rid": "SV-244539r743866_rule", - "stig_id": "RHEL-08-020082", - "gtitle": "SRG-OS-000029-GPOS-00010", - "fix_id": "F-47771r743865_fix", - "cci": [ - "CCI-000057" - ], - "nist": [ - "AC-11 a" - ] + "check_id": { + "__old": "C-33138r568153_chk", + "__new": "C-33138r744003_chk" + }, + "rid": { + "__old": "SV-230469r627750_rule", + "__new": "SV-230469r744004_rule" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244539" - ], - "title": "RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", - "desc": "[\"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\\n\\nThe session lock is implemented at the point where session activity can be determined and/or controlled.\\n\\nImplementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide.\\n\\nLocking these settings from non-privileged users is crucial to maintaining a protected baseline.\\n\\nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system prevents a user from overriding settings for graphical user interfaces. \n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nDetermine which profile the system database is using with the following command:\n\n$ sudo grep system-db /etc/dconf/profile/user\n\nsystem-db:local\n\nCheck that graphical settings are locked from non-privileged user modification with the following command:\n\nNote: The example below is using the database \"local\" for the system, so the path is \"/etc/dconf/db/local.d\". This path must be modified if a database other than \"local\" is being used.\n\n$ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/*\n\n/org/gnome/desktop/screensaver/lock-enabled\n\nIf the command does not return at least the example result, this is a finding.", - "fix": "Configure the operating system to prevent a user from overriding settings for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: \n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent non-privileged users from modifying it:\n\n/org/gnome/desktop/screensaver/lock-enabled" + "check": { + "__old": "Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv - list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\", is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates: \n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\", is missing or commented out, this is a finding.", + "__new": "Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:\n\n$ sudo grub2-editenv - list | grep audit\n\nkernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the \"audit_backlog_limit\" entry does not equal \"8192\" or greater, is missing, or the line is commented out, this is a finding.\n\nCheck the audit_backlog_limit is set to persist in kernel updates: \n\n$ sudo grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"\n\nIf \"audit_backlog_limit\" is not set to \"8192\" or greater, is missing or commented out, this is a finding." + } } }, - "V-244540": { + "V-230470": { "tags": { - "check_id": "C-47815r743867_chk", - "severity": "high", - "gid": "V-244540", - "rid": "SV-244540r743869_rule", - "stig_id": "RHEL-08-020331", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47772r743868_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "rid": { + "__old": "SV-230470r627750_rule", + "__new": "SV-230470r744006_rule" + }, + "fix_id": { + "__old": "F-33114r568157_fix", + "__new": "F-33114r744005_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244540" - ], - "title": "RHEL 8 must not allow blank or null passwords in the system-auth file.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", - "impact": 0.7, "descs": { - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth\n\nIf output is produced, this is a finding.", - "fix": "Remove any instances of the \"nullok\" option in the \"/etc/pam.d/system-auth\" file to prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program." + "fix": { + "__old": "Configure RHEL 8 to enable Linux audit logging of the USBGuad daemon by adding or modifying the following line in \"/etc/usbguard/usbguard-daemon.conf\":\n\nAuditBackend=LinuxAudit", + "__new": "Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by adding or modifying the following line in \"/etc/usbguard/usbguard-daemon.conf\":\n\nAuditBackend=LinuxAudit" + } } }, - "V-244541": { + "V-230471": {}, + "V-230472": {}, + "V-230473": { "tags": { - "check_id": "C-47816r743870_chk", - "severity": "high", - "gid": "V-244541", - "rid": "SV-244541r743872_rule", - "stig_id": "RHEL-08-020332", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47773r743871_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33142r568165_chk", + "__new": "C-33142r744007_chk" + }, + "rid": { + "__old": "SV-230473r627750_rule", + "__new": "SV-230473r744008_rule" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244541" - ], - "title": "RHEL 8 must not allow blank or null passwords in the password-auth file.", - "desc": "[\"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false\"]", - "impact": 0.7, "descs": { - "check": "To verify that null passwords cannot be used, run the following command:\n\n$ sudo grep -i nullok /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.", - "fix": "Remove any instances of the \"nullok\" option in the \"/etc/pam.d/password-auth\" file to prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program." + "check": { + "__old": "Verify the audit tools are owned by \"root\" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n$ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslog /sbin/augenrules\n\nroot /sbin/auditctl\nroot /sbin/aureport\nroot /sbin/ausearch\nroot /sbin/autrace\nroot /sbin/auditd\nroot /sbin/rsyslogd\nroot /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding.", + "__new": "Verify the audit tools are owned by \"root\" to prevent any unauthorized access, deletion, or modification.\n\nCheck the owner of each audit tool by running the following command:\n\n$ sudo stat -c \"%U %n\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules\n\nroot /sbin/auditctl\nroot /sbin/aureport\nroot /sbin/ausearch\nroot /sbin/autrace\nroot /sbin/auditd\nroot /sbin/rsyslogd\nroot /sbin/augenrules\n\nIf any of the audit tools are not owned by \"root\", this is a finding." + } } }, - "V-244542": { + "V-230474": {}, + "V-230475": {}, + "V-230476": {}, + "V-230477": {}, + "V-230478": { "tags": { - "check_id": "C-47817r743873_chk", - "severity": "medium", - "gid": "V-244542", - "rid": "SV-244542r743875_rule", - "stig_id": "RHEL-08-030181", - "gtitle": "SRG-OS-000062-GPOS-00031", - "fix_id": "F-47774r743874_fix", - "cci": [ - "CCI-000169" - ], - "nist": [ - "AU-12 a" - ] + "check_id": { + "__old": "C-33147r568180_chk", + "__new": "C-33147r744009_chk" + }, + "rid": { + "__old": "SV-230478r627750_rule", + "__new": "SV-230478r744011_rule" + }, + "fix_id": { + "__old": "F-33122r568181_fix", + "__new": "F-33122r744010_fix" + } + }, + "desc": { + "__old": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.", + "__new": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244542" - ], - "title": "RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.", - "desc": "[\"Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\\n\\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\\n\\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\\n\\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false\"]", - "impact": 0.5, "descs": { - "check": "Verify the audit service is configured to produce audit records with the following command:\n\n$ sudo systemctl status auditd.service.\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", - "fix": "Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands:\n\n$ sudo systemctl enable auditd.service\n\n$ sudo systemctl start auditd.service" + "check": { + "__old": "Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands:\n\n$ sudo yum list installed gnutls\n\ngnutls.x86_64 3.6.8-9.el8 @anaconda\n\nIf the \"gnutls\" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.", + "__new": "Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands:\n\n$ sudo yum list installed rsyslog-gnutls\n\nrsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream\n\nIf the \"rsyslog-gnutls\" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command:\n\n$ sudo yum install gnutls", + "__new": "Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command:\n\n$ sudo yum install rsyslog-gnutls" + } } }, - "V-244543": { + "V-230479": {}, + "V-230480": {}, + "V-230481": {}, + "V-230482": {}, + "V-230483": { "tags": { - "check_id": "C-47818r743876_chk", - "severity": "medium", - "gid": "V-244543", - "rid": "SV-244543r743878_rule", - "stig_id": "RHEL-08-030731", - "gtitle": "SRG-OS-000343-GPOS-00134", - "fix_id": "F-47775r743877_fix", - "cci": [ - "CCI-001855" - ], - "nist": [ - "AU-5 (1)" - ] + "check_id": { + "__old": "C-33152r568195_chk", + "__new": "C-33152r744012_chk" + }, + "rid": { + "__old": "SV-230483r627750_rule", + "__new": "SV-230483r744014_rule" + }, + "fix_id": { + "__old": "F-33127r568196_fix", + "__new": "F-33127r744013_fix" + } + }, + "title": { + "__old": "RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.", + "__new": "RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244543" - ], - "title": "RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.", - "desc": "[\"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep -w space_left_action /etc/audit/auditd.conf\n\nspace_left_action = email\n\nIf the value of the \"space_left_action\" is not set to \"email\", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", - "fix": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.\n\nspace_left_action = email\n\nNote: Option names and values in the auditd.conf file are case insensitive." + "check": { + "__old": "Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:\n\n$ sudo grep space_left /etc/audit/auditd.conf\n\nspace_left = 25%\nspace_left_action = email\n\nIf the value of the \"space_left\" keyword is not set to \"25%\" and the \"space_left_action\" is not set to \"email\", or if these lines are commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", + "__new": "Verify RHEL 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:\n\n$ sudo grep -w space_left /etc/audit/auditd.conf\n\nspace_left = 25%\n\nIf the value of the \"space_left\" keyword is not set to \"25%\" or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following lines in the /etc/audit/auditd.conf file.\n\nspace_left = 25%\nspace_left_action = email\n\nNote: Option names and values in the auditd.conf file are case insensitive.", + "__new": "Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.\n\nspace_left = 25%\n\nNote: Option names and values in the auditd.conf file are case insensitive." + } } }, - "V-244544": { + "V-230484": {}, + "V-230485": {}, + "V-230486": {}, + "V-230487": {}, + "V-230488": {}, + "V-230489": {}, + "V-230491": {}, + "V-230492": {}, + "V-230493": {}, + "V-230494": {}, + "V-230495": {}, + "V-230496": { "tags": { - "check_id": "C-47819r743879_chk", - "severity": "medium", - "gid": "V-244544", - "rid": "SV-244544r743881_rule", - "stig_id": "RHEL-08-040101", - "gtitle": "SRG-OS-000297-GPOS-00115", - "fix_id": "F-47776r743880_fix", - "cci": [ - "CCI-002314" - ], - "nist": [ - "AC-17 (1)" - ] + "check_id": { + "__old": "C-33165r568234_chk", + "__new": "C-33165r744015_chk" + }, + "rid": { + "__old": "SV-230496r627750_rule", + "__new": "SV-230496r744017_rule" + }, + "fix_id": { + "__old": "F-33140r568235_fix", + "__new": "F-33140r744016_fix" + } + }, + "title": { + "__old": "RHEL 8 must disable the stream control transmission (SCTP) protocol.", + "__new": "RHEL 8 must disable the stream control transmission protocol (SCTP)." + }, + "descs": { + "check": { + "__old": "Verify the operating system disables the ability to load the SCTP protocol kernel module.\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"/bin/true\"\n\ninstall SCTP /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP protocol.\n\nCheck to see if the SCTP protocol is disabled with the following command:\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist SCTP\n\nIf the command does not return any output or the output is not \"blacklist SCTP\", and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", + "__new": "Verify the operating system disables the ability to load the SCTP kernel module.\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"/bin/true\"\n\ninstall SCTP /bin/true\n\nIf the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify the operating system disables the ability to use the SCTP.\n\nCheck to see if the SCTP is disabled with the following command:\n\n$ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist SCTP\n\nIf the command does not return any output or the output is not \"blacklist SCTP\", and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to disable the ability to use the SCTP protocol kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\ninstall SCTP /bin/true\nblacklist SCTP\n\nReboot the system for the settings to take effect.", + "__new": "Configure the operating system to disable the ability to use the SCTP kernel module.\n\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\n\ninstall SCTP /bin/true\nblacklist SCTP\n\nReboot the system for the settings to take effect." + } + } + }, + "V-230497": {}, + "V-230498": {}, + "V-230499": {}, + "V-230500": {}, + "V-230502": {}, + "V-230503": {}, + "V-230504": {}, + "V-230505": { + "tags": { + "check_id": { + "__old": "C-33174r568261_chk", + "__new": "C-33174r744018_chk" + }, + "rid": { + "__old": "SV-230505r627750_rule", + "__new": "SV-230505r744020_rule" + }, + "fix_id": { + "__old": "F-33149r568262_fix", + "__new": "F-33149r744019_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244544" - ], - "title": "A firewall must be active on RHEL 8.", - "desc": "[\"\\\"Firewalld\\\" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.\\n\\nRemote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\\n\\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\\nRHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).false\"]", - "impact": 0.5, "descs": { - "check": "Verify that \"firewalld\" is active with the following commands:\n\n$ sudo systemctl is-active firewalld\n\nactive\n\nIf the \"firewalld\" package is not \"active\", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.", - "fix": "Configure \"firewalld\" to protect the operating system with the following command:\n\n$ sudo systemctl enable firewalld" + "check": { + "__old": "Verify that \"firewalld\" is installed and active with the following commands:\n\n$ sudo yum list installed firewalld\n\nfirewalld.noarch 0.7.0-5.el8\n\n$ sudo systemctl is-active firewalld\n\nactive\n\nIf the \"firewalld\" package is not installed and \"active\", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.", + "__new": "Verify that \"firewalld\" is installed with the following commands:\n\n$ sudo yum list installed firewalld\n\nfirewalld.noarch 0.7.0-5.el8\n\nIf the \"firewalld\" package is not installed, ask the System Administrator if another firewall is installed. If no firewall is installed this is a finding." + }, + "fix": { + "__old": "Install \"firewalld\" and enable with the following commands:\n\n$ sudo yum install firewalld.noarch\n\n$ sudo systemctl enable firewalld", + "__new": "Install \"firewalld\" with the following command:\n\n$ sudo yum install firewalld.noarch" + } } }, - "V-244545": { + "V-230506": {}, + "V-230507": {}, + "V-230508": {}, + "V-230509": {}, + "V-230510": {}, + "V-230511": {}, + "V-230512": {}, + "V-230513": {}, + "V-230514": {}, + "V-230515": {}, + "V-230516": {}, + "V-230517": {}, + "V-230518": {}, + "V-230519": {}, + "V-230520": {}, + "V-230521": {}, + "V-230522": {}, + "V-230523": { "tags": { - "check_id": "C-47820r743882_chk", - "severity": "medium", - "gid": "V-244545", - "rid": "SV-244545r743884_rule", - "stig_id": "RHEL-08-040136", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-47777r743883_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id": { + "__old": "C-33192r568315_chk", + "__new": "C-33192r744021_chk" + }, + "rid": { + "__old": "SV-230523r627750_rule", + "__new": "SV-230523r744023_rule" + }, + "fix_id": { + "__old": "F-33167r568316_fix", + "__new": "F-33167r744022_fix" + } + }, + "title": { + "__old": "The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", + "__new": "The RHEL 8 fapolicy module must be installed." + }, + "desc": { + "__old": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional.\n\n", + "__new": "The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\n\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\n\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\n\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \"fapolicyd\" API is not namespace aware and can cause issues when launching or running containers.\n\n" }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244545" - ], - "title": "The RHEL 8 fapolicy module must be enabled.", - "desc": "[\"The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\\n\\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\\n\\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\\n\\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \\\"fapolicyd\\\". \\\"fapolicyd\\\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\\n\\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \\\"fapolicyd\\\" API is not namespace aware and can cause issues when launching or running containers.\\n\\nSatisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232false\"]", - "impact": 0.5, "descs": { - "check": "Verify the RHEL 8 \"fapolicyd\" is enabled and running with the following command:\n\n$ sudo systemctl status fapolicyd.service\n\nfapolicyd.service - File Access Policy Daemon\nLoaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf fapolicyd is not enabled and running, this is a finding.", - "fix": "Enable \"fapolicyd\" using the following command:\n\n$ sudo systemctl enable --now fapolicyd" + "check": { + "__old": "Verify the RHEL 8 \"fapolicyd\" is enabled and employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is installed, running, and in enforcing mode with the following commands:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\n$ sudo systemctl status fapolicyd.service\n\nfapolicyd.service - File Access Policy Daemon\nLoaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)\nActive: active (running)\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nallow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-pyton\ndeny_audit pattern ld_so all\ndeny all all\n\n$ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n/dev/shm\n/run\n/sys/fs/cgroup\n/\n/home\n/boot\n/run/user/42\n/run/user/1000\n\nIf fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.", + "__new": "Verify the RHEL 8 \"fapolicyd\" is installed.\n\nCheck that \"fapolicyd\" is installed with the following command:\n\n$ sudo yum list installed fapolicyd\n\nInstalled Packages\nfapolicyd.x86_64\n\nIf fapolicyd is not installed, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\" using the following commands:\n\nInstall and enable \"fapolicyd\":\n\n$ sudo yum install fapolicyd.x86_64\n\n$ sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \"%s\\n\", $3 }' >> /etc/fapolicyd/fapolicyd.mounts\n\n$ sudo systemctl enable --now fapolicyd\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny all all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0", + "__new": "Install \"fapolicyd\" with the following command:\n\n$ sudo yum install fapolicyd.x86_64" + } } }, - "V-244546": { + "V-230524": { "tags": { - "check_id": "C-47821r743885_chk", - "severity": "medium", - "gid": "V-244546", - "rid": "SV-244546r743887_rule", - "stig_id": "RHEL-08-040137", - "gtitle": "SRG-OS-000368-GPOS-00154", - "fix_id": "F-47778r743886_fix", - "cci": [ - "CCI-001764" - ], - "nist": [ - "CM-7 (2)" - ] + "check_id": { + "__old": "C-33193r568318_chk", + "__new": "C-33193r744024_chk" + }, + "rid": { + "__old": "SV-230524r627750_rule", + "__new": "SV-230524r744026_rule" + }, + "fix_id": { + "__old": "F-33168r568319_fix", + "__new": "F-33168r744025_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244546" - ], - "title": "The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", - "desc": "[\"The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\\n\\nUtilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.\\n\\nUser home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.\\n\\nRHEL 8 ships with many optional packages. One such package is a file access policy daemon called \\\"fapolicyd\\\". \\\"fapolicyd\\\" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.\\n\\nProceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The \\\"fapolicyd\\\" API is not namespace aware and can cause issues when launching or running containers.\\n\\nSatisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232false\"]", - "impact": 0.5, "descs": { - "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\n$ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n/dev/shm\n/run\n/sys/fs/cgroup\n/\n/home\n/boot\n/run/user/42\n/run/user/1000\n\nIf fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.", - "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\" using the following command:\n\nNote: Running this command requires a root shell\n\n# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \"%s\\n\", $3 }' >> /etc/fapolicyd/fapolicyd.mounts\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0" + "check": { + "__old": "Verify the operating system has enabled the use of USBGuard with the following command:\n\n$ sudo systemctl status usbguard.service\n\nusbguard.service - USBGuard daemon\nLoaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf the usbguard.service is not installed and active, ask the SA to indicate how unauthorized peripherals are being blocked.\n\nIf there is no evidence that unauthorized peripherals can be blocked before establishing a connection, this is a finding.", + "__new": "Verify the USBGuard has a policy configured with the following command:\n\n$ sudo usbguard list-rules\n\nIf the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked.\n\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding." + }, + "fix": { + "__old": "Configure the operating system to enable the blocking of unauthorized peripherals with the following commands:\n\n$ sudo yum install usbguard.x86_64\n\n$ sudo usbguard generate-policy > /etc/usbguard/rules.conf\n\n$ sudo systemctl enable usbguard.service\n\n$ sudo systemctl start usbguard.service\n\nNote: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse", + "__new": "Configure the operating system to enable the blocking of unauthorized peripherals with the following command:\nThis command must be run from a root shell and will create an allow list for any usb devices currently connect to the system.\n\n# usbguard generate-policy > /etc/usbguard/rules.conf\n\nNote: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse" + } } }, - "V-244547": { + "V-230525": { "tags": { - "check_id": "C-47822r743888_chk", - "severity": "medium", - "gid": "V-244547", - "rid": "SV-244547r743890_rule", - "stig_id": "RHEL-08-040139", - "gtitle": "SRG-OS-000378-GPOS-00163", - "fix_id": "F-47779r743889_fix", - "cci": [ - "CCI-001958" - ], - "nist": [ - "IA-3" - ] + "check_id": { + "__old": "C-33194r568321_chk", + "__new": "C-33194r744027_chk" + }, + "rid": { + "__old": "SV-230525r627750_rule", + "__new": "SV-230525r744029_rule" + }, + "fix_id": { + "__old": "F-33169r568322_fix", + "__new": "F-33169r744028_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244547" - ], - "title": "RHEL 8 must have the USBGuard installed.", - "desc": "[\"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\\n\\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.false\"]", - "impact": 0.5, "descs": { - "check": "Verify USBGuard is installed on the operating system with the following command:\n\n$ sudo yum list installed usbguard\n\nInstalled Packages\nusbguard.x86_64 0.7.8-7.el8 @ol8_appstream\n\nIf the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", - "fix": "Install the USBGuard package with the following command:\n\n$ sudo yum install usbguard.x86_64" + "check": { + "__old": "Verify \"nftables\" is configured to allow rate limits on any connection to the system with the following commands:\n\nCheck that the \"nftables.service\" is active and running:\n\n$ sudo systemctl status nftables.service\n\nnftables.service - Netfilter Tables\nLoaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nVerify \"firewalld\" has \"nftables\" set as the default backend:\n\n$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n# FirewallBackend\nFirewallBackend=nftables\n\nIf the \"nftables\" is not active, running and set as the \"firewallbackend\" default, this is a finding.", + "__new": "Verify \"nftables\" is configured to allow rate limits on any connection to the system with the following command:\n\nVerify \"firewalld\" has \"nftables\" set as the default backend:\n\n$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf\n\n# FirewallBackend\nFirewallBackend=nftables\n\nIf the \"nftables\" is not set as the \"firewallbackend\" default, this is a finding." + }, + "fix": { + "__old": "Install \"nftables\" packages onto the host with the following commands:\n\n$ sudo yum install nftables.x86_64 1:0.9.0-14.el8\n\nConfigure the \"nftables\" service to automatically start after reboot with the following command:\n\n$ sudo systemctl enable nftables.service\n\nConfigure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.", + "__new": "Configure \"nftables\" to be the default \"firewallbackend\" for \"firewalld\" by adding or editing the following line in \"etc/firewalld/firewalld.conf\":\n\nFirewallBackend=nftables\n\nEstablish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces." + } } }, - "V-244548": { + "V-230526": { "tags": { - "check_id": "C-47823r743891_chk", - "severity": "medium", - "gid": "V-244548", - "rid": "SV-244548r743893_rule", - "stig_id": "RHEL-08-040141", - "gtitle": "SRG-OS-000378-GPOS-00163", - "fix_id": "F-47780r743892_fix", - "cci": [ - "CCI-001958" - ], - "nist": [ - "IA-3" - ] + "check_id": { + "__old": "C-33195r568324_chk", + "__new": "C-33195r744030_chk" + }, + "rid": { + "__old": "SV-230526r627750_rule", + "__new": "SV-230526r744032_rule" + }, + "fix_id": { + "__old": "F-33170r568325_fix", + "__new": "F-33170r744031_fix" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244548" - ], - "title": "RHEL 8 must enable the USBGuard.", - "desc": "[\"Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\\n\\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\\n\\nA new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.\\n\\nThe System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.false\"]", - "impact": 0.5, "descs": { - "check": "Verify the operating system has enabled the use of the USBGuard with the following command:\n\n$ sudo systemctl status usbguard.service\n\nusbguard.service - USBGuard daemon\nLoaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)\nActive: active (running)\n\nIf the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked.\nIf there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.", - "fix": "Configure the operating system to enable the blocking of unauthorized peripherals with the following commands:\n\n$ sudo systemctl enable usbguard.service\n\n$ sudo systemctl start usbguard.service\n\nNote: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse" + "check": { + "__old": "Verify SSH is loaded and active with the following command:\n\n$ sudo systemctl status sshd\n\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding.\n\nIf the \"SSH server\" package is not installed, this is a finding.", + "__new": "Verify SSH is loaded and active with the following command:\n\n$ sudo systemctl status sshd\n\nsshd.service - OpenSSH server daemon\nLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\nActive: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\nMain PID: 1348 (sshd)\nCGroup: /system.slice/sshd.service\n1053 /usr/sbin/sshd -D\n\nIf \"sshd\" does not show a status of \"active\" and \"running\", this is a finding." + }, + "fix": { + "__old": "Install SSH packages onto the host with the following commands:\n\n$ sudo yum install openssh-server.x86_64\n\nConfigure the SSH service to automatically start after reboot with the following command:\n\n$ sudo systemctl enable sshd.service", + "__new": "Configure the SSH service to automatically start after reboot with the following command:\n\n$ sudo systemctl enable sshd.service" + } } }, - "V-244549": { + "V-230527": {}, + "V-230529": {}, + "V-230530": {}, + "V-230531": {}, + "V-230532": {}, + "V-230533": {}, + "V-230534": {}, + "V-230535": { "tags": { - "check_id": "C-47824r743894_chk", - "severity": "medium", - "gid": "V-244549", - "rid": "SV-244549r743896_rule", - "stig_id": "RHEL-08-040159", - "gtitle": "SRG-OS-000423-GPOS-00187", - "fix_id": "F-47781r743895_fix", - "cci": [ - "CCI-002418" - ], - "nist": [ - "SC-8" - ] + "check_id": { + "__old": "C-33204r568351_chk", + "__new": "C-33204r744033_chk" + }, + "rid": { + "__old": "SV-230535r627750_rule", + "__new": "SV-230535r744035_rule" + }, + "fix_id": { + "__old": "F-33179r568352_fix", + "__new": "F-33179r744034_fix" + } + }, + "title": { + "__old": "RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted.", + "__new": "RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244549" - ], - "title": "All RHEL 8 networked systems must have SSH installed.", - "desc": "[\"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \\n\\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \\n\\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\\n\\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190false\"]", - "impact": 0.5, "descs": { - "check": "Verify SSH is installed with the following command:\n\n$ sudo yum list installed openssh-server\n\nopenssh-server.x86_64 8.0p1-5.el8 @anaconda\n\nIf the \"SSH server\" package is not installed, this is a finding.", - "fix": "Install SSH packages onto the host with the following command:\n\n$ sudo yum install openssh-server.x86_64" + "check": { + "__old": "Verify RHEL 8 will not accept ICMP redirect messages.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned lines do not have a value of \"0\", or a line is not returned, this is a finding.", + "__new": "Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to prevent ICMP redirect messages from being accepted with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_redirects=0\n\nnet.ipv6.conf.default.accept_redirects=0", + "__new": "Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.default.accept_redirects=0" + } } }, - "V-244550": { + "V-230536": { "tags": { - "check_id": "C-47825r743897_chk", - "severity": "medium", - "gid": "V-244550", - "rid": "SV-244550r743899_rule", - "stig_id": "RHEL-08-040209", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47782r743898_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33205r568354_chk", + "__new": "C-33205r744036_chk" + }, + "rid": { + "__old": "SV-230536r627750_rule", + "__new": "SV-230536r744037_rule" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244550" - ], - "title": "RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_redirects=0" + "check": { + "__old": "Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.", + "__new": "Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding." + } } }, - "V-244551": { + "V-230537": { "tags": { - "check_id": "C-47826r743900_chk", - "severity": "medium", - "gid": "V-244551", - "rid": "SV-244551r743902_rule", - "stig_id": "RHEL-08-040239", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47783r743901_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33206r568357_chk", + "__new": "C-33206r744038_chk" + }, + "rid": { + "__old": "SV-230537r627750_rule", + "__new": "SV-230537r744039_rule" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244551" - ], - "title": "RHEL 8 must not forward IPv4 source-routed packets.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's all value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_source_route=0" + "check": { + "__old": "Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.", + "__new": "Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding." + } } }, - "V-244552": { + "V-230538": { "tags": { - "check_id": "C-47827r743903_chk", - "severity": "medium", - "gid": "V-244552", - "rid": "SV-244552r743905_rule", - "stig_id": "RHEL-08-040249", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47784r743904_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33207r568360_chk", + "__new": "C-33207r744040_chk" + }, + "rid": { + "__old": "SV-230538r627750_rule", + "__new": "SV-230538r744042_rule" + }, + "fix_id": { + "__old": "F-33182r568361_fix", + "__new": "F-33182r744041_fix" + } + }, + "title": { + "__old": "RHEL 8 must not forward source-routed packets.", + "__new": "RHEL 8 must not forward IPv6 source-routed packets." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244552" - ], - "title": "RHEL 8 must not forward IPv4 source-routed packets by default.", - "desc": "[\"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to not forward IPv4 source-routed packets by default with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_source_route=0" + "check": { + "__old": "Verify RHEL 8 does not accept source-routed packets.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", a line is not returned, or either returned line is commented out, this is a finding.", + "__new": "Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to not forward source-routed packets with the following commands:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's all value then add or update the following lines in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_source_route=0\n\nnet.ipv6.conf.all.accept_source_route=0", + "__new": "Configure RHEL 8 to not forward IPv6 source-routed packets with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's all value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.all.accept_source_route=0" + } } }, - "V-244553": { + "V-230539": { "tags": { - "check_id": "C-47828r743906_chk", - "severity": "medium", - "gid": "V-244553", - "rid": "SV-244553r743908_rule", - "stig_id": "RHEL-08-040279", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47785r743907_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33208r568363_chk", + "__new": "C-33208r744043_chk" + }, + "rid": { + "__old": "SV-230539r627750_rule", + "__new": "SV-230539r744045_rule" + }, + "fix_id": { + "__old": "F-33183r568364_fix", + "__new": "F-33183r744044_fix" + } + }, + "title": { + "__old": "RHEL 8 must not forward source-routed packets by default.", + "__new": "RHEL 8 must not forward IPv6 source-routed packets by default." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244553" - ], - "title": "RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.", - "desc": "[\"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.", - "fix": "Configure RHEL 8 to ignore IPv4 ICMP redirect messages with the following command:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_redirects = 0" + "check": { + "__old": "Verify RHEL 8 does not accept source-routed packets by default.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned lines do not have a value of \"0\", a line is not returned, or either returned line is commented out, this is a finding.", + "__new": "Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to not forward source-routed packets by default with the following commands:\n\n$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following lines in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.default.accept_source_route=0\n\nnet.ipv6.conf.default.accept_source_route=0", + "__new": "Configure RHEL 8 to not forward IPv6 source-routed packets by default with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.default.accept_source_route=0" + } } }, - "V-244554": { + "V-230540": {}, + "V-230541": {}, + "V-230542": {}, + "V-230543": { "tags": { - "check_id": "C-47829r743909_chk", - "severity": "medium", - "gid": "V-244554", - "rid": "SV-244554r743911_rule", - "stig_id": "RHEL-08-040286", - "gtitle": "SRG-OS-000480-GPOS-00227", - "fix_id": "F-47786r743910_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b" - ] + "check_id": { + "__old": "C-33212r568375_chk", + "__new": "C-33212r744046_chk" + }, + "rid": { + "__old": "SV-230543r627750_rule", + "__new": "SV-230543r744047_rule" + } }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-244554" - ], - "title": "RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.", - "desc": "[\"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \\\"2\\\" enables JIT hardening for all users.false\"]", - "impact": 0.5, "descs": { - "check": "Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.", - "fix": "Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system" + "check": { + "__old": "Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.", + "__new": "Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nNote: If IPv4 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding." + } } }, - "V-245540": { + "V-230544": { "tags": { - "check_id": "C-48814r754728_chk", - "severity": "medium", - "gid": "V-245540", - "rid": "SV-245540r754730_rule", - "stig_id": "RHEL-08-010001", - "gtitle": "SRG-OS-000191-GPOS-00080", - "fix_id": "F-48770r754729_fix", - "cci": [ - "CCI-001233" - ], - "nist": [ - "SI-2 (2)" - ] + "check_id": { + "__old": "C-33213r568378_chk", + "__new": "C-33213r744048_chk" + }, + "rid": { + "__old": "SV-230544r627750_rule", + "__new": "SV-230544r744050_rule" + }, + "fix_id": { + "__old": "F-33188r568379_fix", + "__new": "F-33188r744049_fix" + } + }, + "title": { + "__old": "RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages.", + "__new": "RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." }, - "refs": [ - [ - "DPMS Target Red Hat Enterprise Linux 8" - ] - ], - "id": [ - "V-245540" - ], - "title": "The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.", - "desc": "[\"Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.false\"]", - "impact": 0.5, "descs": { - "check": "Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux.\n\nProcedure:\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", - "fix": "Install and enable the latest McAfee ENSLTP package." + "check": { + "__old": "Verify RHEL 8 ignores ICMP redirect messages.\n\nNote: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf both of the returned lines do not have a value of \"0\", or a line is not returned, this is a finding.", + "__new": "Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding." + }, + "fix": { + "__old": "Configure RHEL 8 to ignore ICMP redirect messages with the following commands:\n\n$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following lines in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nnet.ipv6.conf.all.accept_redirects = 0", + "__new": "Configure RHEL 8 to ignore IPv6 ICMP redirect messages with the following command:\n\n$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value then add or update the following line in the appropriate file under \"/etc/sysctl.d\":\n\nnet.ipv6.conf.all.accept_redirects = 0" + } } - } - }, - "changedControls": {} + }, + "V-230545": {}, + "V-230546": {}, + "V-230547": {}, + "V-230548": {}, + "V-230549": {}, + "V-230550": {}, + "V-230551": {}, + "V-230552": {}, + "V-230553": {}, + "V-230554": {}, + "V-230555": {}, + "V-230556": {}, + "V-230557": {}, + "V-230558": {}, + "V-230559": {}, + "V-230560": {}, + "V-230561": {}, + "V-237640": {}, + "V-237641": {}, + "V-237642": {}, + "V-237643": {} + } } } \ No newline at end of file diff --git a/test/sample_data/profile-objects/Special/OVAL/Ubuntu-20.04-OVAL.json b/test/sample_data/profile-objects/Special/OVAL/Ubuntu-20.04-OVAL.json index b8c6ed6..e54a8f5 100644 --- a/test/sample_data/profile-objects/Special/OVAL/Ubuntu-20.04-OVAL.json +++ b/test/sample_data/profile-objects/Special/OVAL/Ubuntu-20.04-OVAL.json @@ -161,157 +161,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -538,7 +538,7 @@ } ], "id": "account_disable_post_pw_expiration", - "title": "undefined title", + "title": "Set Account Expiration Following Inactivity", "desc": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following line in:If a password is currently on the verge of expiration, thenday(s) remain(s) until the account is automatically\ndisabled. However, if the password will not expire for another 60 days, then 60\ndays plusday(s) could\nelapse until the account would be automatically disabled. See theman page for more information.", "impact": 0.5, "descs": {} @@ -669,97 +669,97 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -926,7 +926,7 @@ } ], "id": "account_temp_expire_date", - "title": "undefined title", + "title": "Assign Expiration Date to Temporary Accounts", "desc": "Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts. In the event\ntemporary or emergency accounts are required, configure the system to\nterminate them after a documented time period. For every temporary and\nemergency account, run the following command to set an expiration date on\nit, substitutingandappropriately:indicates the documented expiration date for the\naccount. For U.S. Government systems, the operating system must be\nconfigured to automatically terminate these types of accounts after a\nperiod of 72 hours.", "impact": 0.5, "descs": {} @@ -966,7 +966,7 @@ } ], "id": "account_unique_name", - "title": "undefined title", + "title": "Ensure All Accounts on the System Have Unique Names", "desc": "Ensure accounts on the system have unique names.\n\nTo ensure all accounts have unique names, run the following command:If a username is returned, change or delete the username.", "impact": 0.5, "descs": {} @@ -981,7 +981,7 @@ }, "refs": [], "id": "account_use_centralized_automated_auth", - "title": "undefined title", + "title": "Use Centralized and Automated Authentication", "desc": "Implement an automated system for managing user accounts that minimizes the\nrisk of errors, either intentional or deliberate. This system\nshould integrate with an existing enterprise user management system, such as\none based on Identity Management tools such as Active Directory, Kerberos,\nDirectory Server, etc.", "impact": 0.5, "descs": {} @@ -1046,19 +1046,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -1123,7 +1123,7 @@ } ], "id": "accounts_logon_fail_delay", - "title": "undefined title", + "title": "Ensure the Logon Failure Delay is Set Correctly in login.defs", "desc": "To ensure the logon failure delay controlled byis set properly,\nadd or correct thesetting into read as follows:", "impact": 0.5, "descs": {} @@ -1188,19 +1188,19 @@ { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -1277,7 +1277,7 @@ } ], "id": "accounts_max_concurrent_login_sessions", - "title": "undefined title", + "title": "Limit the Number of Concurrent Login Sessions Allowed Per User", "desc": "Limiting the number of allowed users and sessions per user can limit risks related to Denial of\nService attacks. This addresses concurrent sessions for a single account and does not address\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\nsessions per user add the following line inor\na file under:", "impact": 0.3, "descs": {} @@ -1390,145 +1390,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -1647,7 +1647,7 @@ } ], "id": "accounts_maximum_age_login_defs", - "title": "undefined title", + "title": "Set Password Maximum Age", "desc": "To specify password maximum age for new accounts,\nedit the fileand add or correct the following line:A value of 180 days is sufficient for many environments.\nThe DoD requirement is 60.\nThe profile requirement is.", "impact": 0.5, "descs": {} @@ -1755,145 +1755,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -2006,11 +2006,11 @@ } ], "id": "accounts_minimum_age_login_defs", - "title": "undefined title", + "title": "Set Password Minimum Age", "desc": "To specify password minimum age for new accounts,\nedit the fileand add or correct the following line:A value of 1 day is considered sufficient for many\nenvironments. The DoD requirement is 1.\nThe profile requirement is.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\n\nvar_accounts_minimum_age_login_defs=\"\"\n\n\n\ngrep -q ^PASS_MIN_DAYS /etc/login.defs && \\\n sed -i \"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]; then\n echo \"PASS_MIN_DAYS $var_accounts_minimum_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\n\nvar_accounts_minimum_age_login_defs=\"\"\n\n\n\ngrep -q ^PASS_MIN_DAYS /etc/login.defs && \\\n sed -i \"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]; then\n echo \"PASS_MIN_DAYS $var_accounts_minimum_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -2152,157 +2152,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -2607,11 +2607,11 @@ } ], "id": "accounts_no_uid_except_zero", - "title": "undefined title", + "title": "Verify Only Root Has UID 0", "desc": "If any account other than root has a UID of 0, this misconfiguration should\nbe investigated and the accounts other than root should be removed or have\ntheir UID changed.If the account is associated with system commands or applications the UID\nshould be changed to one greater than \"0\" but less than \"1000.\"\nOtherwise assign a UID greater than \"1000\" that has not already been\nassigned.", "impact": 0.7, "descs": { - "fix": "awk -F: '$3 == 0 && $1 != \"root\" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l" + "fix": "awk -F: '$3 == 0 && $1 != \"root\" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l" } }, { @@ -2704,145 +2704,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -2943,7 +2943,7 @@ } ], "id": "accounts_password_all_shadowed", - "title": "undefined title", + "title": "Verify All Account Password Hashes are Shadowed", "desc": "If any password hashes are stored in(in the second field,\ninstead of anor), the cause of this misconfiguration should be\ninvestigated. The account should have its password reset and the hash should be\nproperly stored, or the account should be deleted entirely.", "impact": 0.5, "descs": {} @@ -3013,7 +3013,7 @@ } ], "id": "accounts_password_all_shadowed_sha512", - "title": "undefined title", + "title": "Verify All Account Password Hashes are Shadowed with SHA512", "desc": "Verify the operating system requires the shadow password suite\nconfiguration be set to encrypt interactive user passwords using a strong\ncryptographic hash.\nCheck that the interactive user account passwords are using a strong\npassword hash with the following command:Password hashesorindicate inactive accounts not\navailable for logon and are not evaluated.\nIf any interactive user password hash does not begin with,\nthis is a finding.", "impact": 0.5, "descs": {} @@ -3120,145 +3120,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -3371,7 +3371,7 @@ } ], "id": "accounts_password_minlen_login_defs", - "title": "undefined title", + "title": "Set Password Minimum Length in login.defs", "desc": "To specify password length requirements for new accounts, edit the fileand add or correct the following line:The DoD requirement is.\nThe FISMA requirement is.\nThe profile requirement is.\nIf a program consultsand also another PAM module\n(such as) during a password change operation, then\nthe most restrictive must be satisfied. See PAM section for more\ninformation about enforcing password quality requirements.", "impact": 0.5, "descs": {} @@ -3473,145 +3473,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -3742,11 +3742,11 @@ } ], "id": "accounts_password_pam_dcredit", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Digit Characters", "desc": "The pam_pwquality module'sparameter controls requirements for\nusage of digits in a password. When set to a negative number, any password will be required to\ncontain that many digits. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each digit. Modify thesetting into require the use of a digit in passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_dcredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^dcredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_dcredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^dcredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^dcredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_dcredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^dcredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_dcredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^dcredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^dcredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -3803,11 +3803,11 @@ } ], "id": "accounts_password_pam_dictcheck", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words", "desc": "The pam_pwquality module'scheck if passwords contains dictionary words. Whenis set topasswords will be checked for dictionary words.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_dictcheck=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^dictcheck\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_dictcheck\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^dictcheck\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^dictcheck\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_dictcheck=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^dictcheck\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_dictcheck\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^dictcheck\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^dictcheck\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -3901,145 +3901,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -4158,11 +4158,11 @@ } ], "id": "accounts_password_pam_difok", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Different Characters", "desc": "The pam_pwquality module'sparameter sets the number of characters\nin a password that must not be present in and old password during a password change.Modify thesetting into equalto require differing characters\nwhen changing passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_difok=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^difok\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_difok\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^difok\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^difok\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_difok=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^difok\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_difok\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^difok\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^difok\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -4195,11 +4195,11 @@ } ], "id": "accounts_password_pam_enforcing", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Enforcing", "desc": "Verify that the operating system uses \"pwquality\" to enforce the\npassword complexity rules.\n\nVerify the pwquality module is being enforced by operating system by\nrunning the following command:If the value of \"enforcing\" is not \"1\" or the line is commented out,\nthis is a finding.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/security/pwquality.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*enforcing = 1/Id\" \"/etc/security/pwquality.conf\"\nelse\n touch \"/etc/security/pwquality.conf\"\nfi\ncp \"/etc/security/pwquality.conf\" \"/etc/security/pwquality.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"enforcing = 1\" >> \"/etc/security/pwquality.conf\"\n# Clean up after ourselves.\nrm \"/etc/security/pwquality.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/security/pwquality.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*enforcing = 1/Id\" \"/etc/security/pwquality.conf\"\nelse\n touch \"/etc/security/pwquality.conf\"\nfi\ncp \"/etc/security/pwquality.conf\" \"/etc/security/pwquality.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"enforcing = 1\" >> \"/etc/security/pwquality.conf\"\n# Clean up after ourselves.\nrm \"/etc/security/pwquality.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -4299,145 +4299,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -4568,11 +4568,11 @@ } ], "id": "accounts_password_pam_lcredit", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters", "desc": "The pam_pwquality module'sparameter controls requirements for\nusage of lowercase letters in a password. When set to a negative number, any password will be required to\ncontain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each lowercase character. Modify thesetting into require the use of a lowercase character in passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_lcredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^lcredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_lcredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^lcredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^lcredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_lcredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^lcredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_lcredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^lcredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^lcredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -4666,145 +4666,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -4917,11 +4917,11 @@ } ], "id": "accounts_password_pam_minclass", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Different Categories", "desc": "The pam_pwquality module'sparameter controls\nrequirements for usage of different character classes, or types, of character\nthat must exist in a password before it is considered valid. For example,\nsetting this value to three (3) requires that any password must have characters\nfrom at least three different categories in order to be approved. The default\nvalue is zero (0), meaning there are no required classes. There are four\ncategories available:Modify thesetting inentry\nto requirediffering categories of characters when changing passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_minclass=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^minclass\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_minclass\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^minclass\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^minclass\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_minclass=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^minclass\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_minclass\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^minclass\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^minclass\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -5027,145 +5027,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -5296,11 +5296,11 @@ } ], "id": "accounts_password_pam_minlen", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Length", "desc": "The pam_pwquality module'sparameter controls requirements for\nminimum characters required in a password. Addafter pam_pwquality to set minimum password length requirements.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_minlen=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^minlen\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_minlen\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^minlen\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^minlen\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_minlen=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^minlen\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_minlen\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^minlen\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^minlen\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -5400,145 +5400,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -5663,11 +5663,11 @@ } ], "id": "accounts_password_pam_ocredit", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Special Characters", "desc": "The pam_pwquality module'sparameter controls requirements for\nusage of special (or \"other\") characters in a password. When set to a negative number,\nany password will be required to contain that many special characters.\nWhen set to a positive number, pam_pwquality will grant +1\nadditional length credit for each special character. Modify thesetting\ninto equalto require use of a special character in passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_ocredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^ocredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_ocredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^ocredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^ocredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_ocredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^ocredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_ocredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^ocredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^ocredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -5699,7 +5699,7 @@ } ], "id": "accounts_password_pam_pwhistory_remember", - "title": "undefined title", + "title": "Limit Password Reuse", "desc": "Do not allow users to reuse recent passwords. This can be\naccomplished by using theoption for thePAM modules.In the file, make sure the parametersandare present, and that the value\nfor theparameter isor greater. For example:The DoD STIG requirement is 5 passwords.", "impact": 0.5, "descs": {} @@ -5849,163 +5849,163 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -6172,11 +6172,11 @@ } ], "id": "accounts_password_pam_retry", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session", "desc": "To configure the number of retry prompts that are permitted per-session:\nEdit thestatement into show, or a lower value if site\npolicy is more restrictive. The DoD requirement is a maximum of 3 prompts\nper session.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_retry=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-password\" ] ; then\n valueRegex=\"$var_password_pam_retry\" defaultValue=\"$var_password_pam_retry\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"password\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_pwquality.so)/\\\\1password\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*password\\\\s+(?\"'!'\"requisite)[[:alnum:]]+\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+)[[:alnum:]]+(\\\\s+pam_pwquality.so)/\\\\1requisite\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s+retry(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s)retry=[^[:space:]]*/\\\\1retry${defaultValue}/\" \"/etc/pam.d/common-password\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" &&\n grep -E \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" | grep -q -E -v \"\\\\sretry(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so[^\\\\n]*)/\\\\1 retry${defaultValue}/\" \"/etc/pam.d/common-password\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s+retry${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-password\" ; then\n echo \"password requisite pam_pwquality.so retry${defaultValue}\" >> \"/etc/pam.d/common-password\"\n fi\nelse\n echo \"/etc/pam.d/common-password doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_retry=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-password\" ] ; then\n valueRegex=\"$var_password_pam_retry\" defaultValue=\"$var_password_pam_retry\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"password\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_pwquality.so)/\\\\1password\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*password\\\\s+(?\"'!'\"requisite)[[:alnum:]]+\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+)[[:alnum:]]+(\\\\s+pam_pwquality.so)/\\\\1requisite\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s+retry(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s)retry=[^[:space:]]*/\\\\1retry${defaultValue}/\" \"/etc/pam.d/common-password\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" &&\n grep -E \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so\" < \"/etc/pam.d/common-password\" | grep -q -E -v \"\\\\sretry(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so[^\\\\n]*)/\\\\1 retry${defaultValue}/\" \"/etc/pam.d/common-password\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*password\\\\s+requisite\\\\s+pam_pwquality.so(\\\\s.+)?\\\\s+retry${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-password\" ; then\n echo \"password requisite pam_pwquality.so retry${defaultValue}\" >> \"/etc/pam.d/common-password\"\n fi\nelse\n echo \"/etc/pam.d/common-password doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -6276,145 +6276,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -6545,11 +6545,11 @@ } ], "id": "accounts_password_pam_ucredit", - "title": "undefined title", + "title": "Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters", "desc": "The pam_pwquality module'sparameter controls requirements for\nusage of uppercase letters in a password. When set to a negative number, any password will be required to\ncontain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each uppercase character. Modify thesetting into require the use of an uppercase character in passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_ucredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^ucredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_ucredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^ucredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^ucredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_ucredit=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/security/pwquality.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^ucredit\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_password_pam_ucredit\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^ucredit\\\\>\" \"/etc/security/pwquality.conf\"; then\n \"${sed_command[@]}\" \"s/^ucredit\\\\>.*/$formatted_output/gi\" \"/etc/security/pwquality.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/security/pwquality.conf\" >> \"/etc/security/pwquality.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/security/pwquality.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -6655,145 +6655,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -6906,11 +6906,11 @@ } ], "id": "accounts_password_pam_unix_remember", - "title": "undefined title", + "title": "Limit Password Reuse", "desc": "Do not allow users to reuse recent passwords. This can be\naccomplished by using theoption for theorPAM modules.In the file, appendto the line which refers to theormodule, as shown below:The DoD STIG requirement is 5 passwords.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_unix_remember=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-password\" ] ; then\n valueRegex=\"$var_password_pam_unix_remember\" defaultValue=\"$var_password_pam_unix_remember\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"password\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_unix.so)/\\\\1password\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*password\\\\s+(?\"'!'\"[success=1 default=ignore])[[:alnum:]]+\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+)[[:alnum:]]+(\\\\s+pam_unix.so)/\\\\1[success=1 default=ignore]\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s+obsecure sha512 shadow remember(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s)obsecure sha512 shadow remember=[^[:space:]]*/\\\\1obsecure sha512 shadow remember${defaultValue}/\" \"/etc/pam.d/common-password\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" &&\n grep -E \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" | grep -q -E -v \"\\\\sobsecure sha512 shadow remember(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so[^\\\\n]*)/\\\\1 obsecure sha512 shadow remember${defaultValue}/\" \"/etc/pam.d/common-password\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s+obsecure sha512 shadow remember${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-password\" ; then\n echo \"password [success=1 default=ignore] pam_unix.so obsecure sha512 shadow remember${defaultValue}\" >> \"/etc/pam.d/common-password\"\n fi\nelse\n echo \"/etc/pam.d/common-password doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\n\nvar_password_pam_unix_remember=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-password\" ] ; then\n valueRegex=\"$var_password_pam_unix_remember\" defaultValue=\"$var_password_pam_unix_remember\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"password\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_unix.so)/\\\\1password\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*password\\\\s+(?\"'!'\"[success=1 default=ignore])[[:alnum:]]+\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+)[[:alnum:]]+(\\\\s+pam_unix.so)/\\\\1[success=1 default=ignore]\\\\2/\" \"/etc/pam.d/common-password\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s+obsecure sha512 shadow remember(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-password\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s)obsecure sha512 shadow remember=[^[:space:]]*/\\\\1obsecure sha512 shadow remember${defaultValue}/\" \"/etc/pam.d/common-password\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" &&\n grep -E \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so\" < \"/etc/pam.d/common-password\" | grep -q -E -v \"\\\\sobsecure sha512 shadow remember(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so[^\\\\n]*)/\\\\1 obsecure sha512 shadow remember${defaultValue}/\" \"/etc/pam.d/common-password\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*password\\\\s+[success=1 default=ignore]\\\\s+pam_unix.so(\\\\s.+)?\\\\s+obsecure sha512 shadow remember${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-password\" ; then\n echo \"password [success=1 default=ignore] pam_unix.so obsecure sha512 shadow remember${defaultValue}\" >> \"/etc/pam.d/common-password\"\n fi\nelse\n echo \"/etc/pam.d/common-password doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -6960,7 +6960,7 @@ } ], "id": "accounts_password_set_max_life_existing", - "title": "undefined title", + "title": "Set Existing Passwords Maximum Age", "desc": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime\nrestriction by running the following command:", "impact": 0.5, "descs": {} @@ -7012,7 +7012,7 @@ } ], "id": "accounts_password_set_min_life_existing", - "title": "undefined title", + "title": "Set Existing Passwords Minimum Age", "desc": "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password\nlifetime by running the following command:", "impact": 0.5, "descs": {} @@ -7156,157 +7156,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -7467,11 +7467,11 @@ } ], "id": "accounts_password_warn_age_login_defs", - "title": "undefined title", + "title": "Set Password Warning Age", "desc": "To specify how many days prior to password\nexpiration that a warning will be issued to users,\nedit the fileand add or correct\n the following line:The DoD requirement is 7.\nThe profile requirement is.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\n\nvar_accounts_password_warn_age_login_defs=\"\"\n\n\n\ngrep -q ^PASS_WARN_AGE /etc/login.defs && \\\nsed -i \"s/PASS_WARN_AGE.*/PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]\nthen\n echo -e \"PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\n\nvar_accounts_password_warn_age_login_defs=\"\"\n\n\n\ngrep -q ^PASS_WARN_AGE /etc/login.defs && \\\nsed -i \"s/PASS_WARN_AGE.*/PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]\nthen\n echo -e \"PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -7504,11 +7504,11 @@ } ], "id": "accounts_passwords_pam_faildelay_delay", - "title": "undefined title", + "title": "Enforce Delay After Failed Logon Attempts", "desc": "To configure the system to introduce a delay after failed logon attempts,\nadd or correct thesettings into make sure itsparameter\nis at leastor greater. For example:", "impact": 0.5, "descs": { - "fix": "var_password_pam_delay=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"$var_password_pam_delay\" defaultValue=\"$var_password_pam_delay\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_faildelay.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_faildelay.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s+delay(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s)delay=[^[:space:]]*/\\\\1delay${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sdelay(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so[^\\\\n]*)/\\\\1 delay${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s+delay${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_faildelay.so delay${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi" + "fix": "var_password_pam_delay=\"\"\n\n\n\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"$var_password_pam_delay\" defaultValue=\"$var_password_pam_delay\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_faildelay.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_faildelay.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s+delay(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s)delay=[^[:space:]]*/\\\\1delay${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sdelay(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so[^\\\\n]*)/\\\\1 delay${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_faildelay.so(\\\\s.+)?\\\\s+delay${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_faildelay.so delay${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi" } }, { @@ -7547,11 +7547,11 @@ } ], "id": "accounts_passwords_pam_tally2", - "title": "undefined title", + "title": "Set Deny For Failed Password Attempts", "desc": "The Ubuntu 20.04 operating system must lock an account after - at most -consecutive invalid access attempts.", "impact": 0.5, "descs": { - "fix": "var_password_pam_tally2=\"\"\n\n\n# Use a non-number regexp to force update of the value of the deny option\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"X\" defaultValue=\"${var_password_pam_tally2}\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+deny(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)deny=[^[:space:]]*/\\\\1deny${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sdeny(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 deny${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+deny${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_tally2.so deny${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"(fail)\" defaultValue=\"fail\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+onerr(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)onerr=[^[:space:]]*/\\\\1onerr${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sonerr(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 onerr${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+onerr${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_tally2.so onerr${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\nif [ -e \"/etc/pam.d/common-account\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"account\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1account\\\\2/\" \"/etc/pam.d/common-account\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*account\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-account\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)=[^[:space:]]*/\\\\1${defaultValue}/\" \"/etc/pam.d/common-account\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" &&\n grep -E \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" | grep -q -E -v \"\\\\s(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 ${defaultValue}/\" \"/etc/pam.d/common-account\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-account\" ; then\n echo \"account required pam_tally2.so ${defaultValue}\" >> \"/etc/pam.d/common-account\"\n fi\nelse\n echo \"/etc/pam.d/common-account doesn't exist\" >&2\nfi" + "fix": "var_password_pam_tally2=\"\"\n\n\n# Use a non-number regexp to force update of the value of the deny option\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"X\" defaultValue=\"${var_password_pam_tally2}\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+deny(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)deny=[^[:space:]]*/\\\\1deny${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sdeny(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 deny${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+deny${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_tally2.so deny${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"(fail)\" defaultValue=\"fail\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+onerr(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)onerr=[^[:space:]]*/\\\\1onerr${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\sonerr(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 onerr${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+onerr${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth required pam_tally2.so onerr${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\nif [ -e \"/etc/pam.d/common-account\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"account\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_tally2.so)/\\\\1account\\\\2/\" \"/etc/pam.d/common-account\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*account\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+)[[:alnum:]]+(\\\\s+pam_tally2.so)/\\\\1required\\\\2/\" \"/etc/pam.d/common-account\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-account\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s)=[^[:space:]]*/\\\\1${defaultValue}/\" \"/etc/pam.d/common-account\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" &&\n grep -E \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so\" < \"/etc/pam.d/common-account\" | grep -q -E -v \"\\\\s(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*account\\\\s+required\\\\s+pam_tally2.so[^\\\\n]*)/\\\\1 ${defaultValue}/\" \"/etc/pam.d/common-account\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*account\\\\s+required\\\\s+pam_tally2.so(\\\\s.+)?\\\\s+${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-account\" ; then\n echo \"account required pam_tally2.so ${defaultValue}\" >> \"/etc/pam.d/common-account\"\n fi\nelse\n echo \"/etc/pam.d/common-account doesn't exist\" >&2\nfi" } }, { @@ -7572,11 +7572,11 @@ } ], "id": "accounts_polyinstantiated_tmp", - "title": "undefined title", + "title": "Configure Polyinstantiation of /tmp Directories", "desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:", "impact": 0.3, "descs": { - "fix": "if ! [ -d /tmp/tmp-inst ] ; then\n mkdir --mode 000 /tmp/tmp-inst\nfi\nchmod 000 /tmp/tmp-inst\nchcon --reference=/tmp /tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/tmp\\s+/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/tmp /tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi" + "fix": "if ! [ -d /tmp/tmp-inst ] ; then\n mkdir --mode 000 /tmp/tmp-inst\nfi\nchmod 000 /tmp/tmp-inst\nchcon --reference=/tmp /tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/tmp\\s+/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/tmp /tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi" } }, { @@ -7597,11 +7597,11 @@ } ], "id": "accounts_polyinstantiated_var_tmp", - "title": "undefined title", + "title": "Configure Polyinstantiation of /var/tmp Directories", "desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:", "impact": 0.3, "descs": { - "fix": "if ! [ -d /tmp-inst ] ; then\n mkdir --mode 000 /var/tmp/tmp-inst\nfi\nchmod 000 /var/tmp/tmp-inst\nchcon --reference=/var/tmp/ /var/tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/var/tmp\\s+/var/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/var/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/var\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/var/tmp /var/tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi" + "fix": "if ! [ -d /tmp-inst ] ; then\n mkdir --mode 000 /var/tmp/tmp-inst\nfi\nchmod 000 /var/tmp/tmp-inst\nchcon --reference=/var/tmp/ /var/tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/var/tmp\\s+/var/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/var/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/var\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/var/tmp /var/tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi" } }, { @@ -7670,19 +7670,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -7741,7 +7741,7 @@ } ], "id": "accounts_root_path_dirs_no_write", - "title": "undefined title", + "title": "Ensure that Root's Path Does Not Include World or Group-Writable Directories", "desc": "For each element in root's path, run:and ensure that write permissions are disabled for group and\nother.", "impact": 0.5, "descs": {} @@ -7837,97 +7837,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -8058,11 +8058,11 @@ } ], "id": "accounts_tmout", - "title": "undefined title", + "title": "Set Interactive Session Timeout", "desc": "Setting theoption inensures that\nall user sessions will terminate based on inactivity. Thesetting in a file loaded by, e.g.should read as follows:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_accounts_tmout=\"\"\n\n\n\n# if 0, no occurence of tmout found, if 1, occurence found\ntmout_found=0\n\nfor f in /etc/profile /etc/profile.d/*.sh; do\n if grep --silent '^\\s*TMOUT' $f; then\n sed -i -E \"s/^(\\s*)TMOUT\\s*=\\s*(\\w|\\$)*(.*)$/\\1TMOUT=$var_accounts_tmout\\3/g\" $f\n tmout_found=1\n fi\ndone\n\nif [ $tmout_found -eq 0 ]; then\n echo -e \"\\n# Set TMOUT to $var_accounts_tmout per security requirements\" >> /etc/profile.d/tmout.sh\n echo \"TMOUT=$var_accounts_tmout\" >> /etc/profile.d/tmout.sh\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_accounts_tmout=\"\"\n\n\n\n# if 0, no occurence of tmout found, if 1, occurence found\ntmout_found=0\n\nfor f in /etc/profile /etc/profile.d/*.sh; do\n if grep --silent '^\\s*TMOUT' $f; then\n sed -i -E \"s/^(\\s*)TMOUT\\s*=\\s*(\\w|\\$)*(.*)$/\\1TMOUT=$var_accounts_tmout\\3/g\" $f\n tmout_found=1\n fi\ndone\n\nif [ $tmout_found -eq 0 ]; then\n echo -e \"\\n# Set TMOUT to $var_accounts_tmout per security requirements\" >> /etc/profile.d/tmout.sh\n echo \"TMOUT=$var_accounts_tmout\" >> /etc/profile.d/tmout.sh\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -8126,7 +8126,7 @@ { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { @@ -8239,7 +8239,7 @@ } ], "id": "accounts_umask_etc_bashrc", - "title": "undefined title", + "title": "Ensure the Default Bash Umask is Set Correctly", "desc": "To ensure the default umask for users of the Bash shell is set properly,\nadd or correct thesetting into read\nas follows:", "impact": 0.5, "descs": { @@ -8301,7 +8301,7 @@ { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { @@ -8408,7 +8408,7 @@ } ], "id": "accounts_umask_etc_csh_cshrc", - "title": "undefined title", + "title": "Ensure the Default C Shell Umask is Set Correctly", "desc": "To ensure the default umask for users of the C shell is set properly,\nadd or correct thesetting into read as follows:", "impact": 0.5, "descs": { @@ -8517,19 +8517,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -8684,7 +8684,7 @@ } ], "id": "accounts_umask_etc_login_defs", - "title": "undefined title", + "title": "Ensure the Default Umask is Set Correctly in login.defs", "desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:", "impact": 0.5, "descs": {} @@ -8750,7 +8750,7 @@ { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { @@ -8857,11 +8857,11 @@ } ], "id": "accounts_umask_etc_profile", - "title": "undefined title", + "title": "Ensure the Default Umask is Set Correctly in /etc/profile", "desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:", "impact": 0.5, "descs": { - "fix": "var_accounts_user_umask=\"\"\n\n\n\ngrep -q umask /etc/profile && \\\n sed -i \"s/umask.*/umask $var_accounts_user_umask/g\" /etc/profile\nif ! [ $? -eq 0 ]; then\n echo \"umask $var_accounts_user_umask\" >> /etc/profile\nfi" + "fix": "var_accounts_user_umask=\"\"\n\n\n\ngrep -q umask /etc/profile && \\\n sed -i \"s/umask.*/umask $var_accounts_user_umask/g\" /etc/profile\nif ! [ $? -eq 0 ]; then\n echo \"umask $var_accounts_user_umask\" >> /etc/profile\nfi" } }, { @@ -8899,7 +8899,7 @@ } ], "id": "accounts_umask_interactive_users", - "title": "undefined title", + "title": "Ensure the Default Umask is Set Correctly For Interactive Users", "desc": "Remove theenvironment variable from all interactive users initialization files.", "impact": 0.5, "descs": {} @@ -8933,7 +8933,7 @@ } ], "id": "accounts_user_dot_group_ownership", - "title": "undefined title", + "title": "User Initialization Files Must Be Group-Owned By The Primary User", "desc": "Change the group owner of interactive users files to the group found\ninfor the user. To change the group owner of a local\ninteractive user home directory, use the following command:", "impact": 0.5, "descs": {} @@ -8967,7 +8967,7 @@ } ], "id": "accounts_user_dot_user_ownership", - "title": "undefined title", + "title": "User Initialization Files Must Be Owned By the Primary User", "desc": "Set the owner of the user initialization files for interactive users to\nthe primary owner with the following command:", "impact": 0.5, "descs": {} @@ -9001,7 +9001,7 @@ } ], "id": "accounts_user_interactive_home_directory_exists", - "title": "undefined title", + "title": "All Interactive Users Home Directories Must Exist", "desc": "Create home directories to all interactive users that currently do not\nhave a home directory assigned. Use the following commands to create the user\nhome directory assigned in:", "impact": 0.5, "descs": {} @@ -9023,7 +9023,7 @@ } ], "id": "accounts_users_own_home_directories", - "title": "undefined title", + "title": "Ensure users own their home directories", "desc": "The user home directory is space defined for the particular user to set local\nenvironment variables and to store personal files. Since the user is\naccountable for files stored in the user home directory, the user must be\nthe owner of the directory.", "impact": 0.5, "descs": {} @@ -9245,61 +9245,61 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -9442,11 +9442,11 @@ } ], "id": "aide_build_database", - "title": "undefined title", + "title": "Build and Test AIDE Database", "desc": "Run the following command to generate a new database:By default, the database will be written to the file.\nStoring the database, the configuration file, and the binary(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.\nThe newly-generated database can be installed as follows:To initiate a manual check, run the following command:If this check produces any unexpected output, investigate.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n/usr/sbin/aideinit\n/bin/mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n/usr/sbin/aideinit\n/bin/mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -9491,11 +9491,11 @@ } ], "id": "aide_check_audit_tools", - "title": "undefined title", + "title": "Configure AIDE to Verify the Audit Tools", "desc": "The operating system file integrity tool must be configured to protect the integrity of the audit tools.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n\n\n\n\n\n\n\n\n\nif grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/auditd.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/aureport.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/autrace.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/audispd.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n\n\n\n\n\n\n\n\n\nif grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/auditd.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/aureport.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/autrace.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\n\nif grep -i '^.*/usr/sbin/audispd.*$' /etc/aide/aide.conf; then\nsed -i \"s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512#\" /etc/aide/aide.conf\nelse\necho \"/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\" >> /etc/aide/aide.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -9733,61 +9733,61 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -9966,11 +9966,11 @@ } ], "id": "aide_periodic_cron_checking", - "title": "undefined title", + "title": "Configure Periodic Execution of AIDE", "desc": "At a minimum, AIDE should be configured to run a weekly scan.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following line to:To implement a weekly execution of AIDE at 4:05am using cron, add the following line to:AIDE can be executed periodically through other means; this is merely one example.\nThe usage of cron's special time codes, such asandis acceptable.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n# AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is\n# compliant. Otherwise, we copy the script to the /etc/cron.weekly\nif ! egrep -q '^(/usr/bin/)?aide\\.wrapper\\s+' /etc/cron.*/*; then\n cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\n# AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is\n# compliant. Otherwise, we copy the script to the /etc/cron.weekly\nif ! egrep -q '^(/usr/bin/)?aide\\.wrapper\\s+' /etc/cron.*/*; then\n cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -10117,11 +10117,11 @@ } ], "id": "apparmor_configured", - "title": "undefined title", + "title": "Ensure AppArmor is Active and Configured", "desc": "Verify that the Apparmor tool is configured to\ncontrol whitelisted applications and user home directory access\ncontrol.Theservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "include enable_apparmor\n\nclass enable_apparmor {\n service {'apparmor':\n enable => true,\n ensure => 'running',\n }\n}" + "fix": "include enable_apparmor\n\nclass enable_apparmor {\n service {'apparmor':\n enable => true,\n ensure => 'running',\n }\n}" } }, { @@ -10147,7 +10147,7 @@ } ], "id": "apt_conf_disallow_unauthenticated", - "title": "undefined title", + "title": "Disable unauthenticated repositories in APT configuration", "desc": "Unauthenticated repositories should not be used for updates.", "impact": 0.5, "descs": {} @@ -10512,187 +10512,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -10955,7 +10955,7 @@ } ], "id": "audit_rules_dac_modification_chmod", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - chmod", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -11320,187 +11320,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -11769,7 +11769,7 @@ } ], "id": "audit_rules_dac_modification_chown", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - chown", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -12134,187 +12134,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -12577,7 +12577,7 @@ } ], "id": "audit_rules_dac_modification_fchmod", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fchmod", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -12942,187 +12942,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -13385,7 +13385,7 @@ } ], "id": "audit_rules_dac_modification_fchmodat", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fchmodat", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -13750,187 +13750,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -14199,7 +14199,7 @@ } ], "id": "audit_rules_dac_modification_fchown", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fchown", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -14564,187 +14564,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -15013,7 +15013,7 @@ } ], "id": "audit_rules_dac_modification_fchownat", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fchownat", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -15372,187 +15372,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -15827,7 +15827,7 @@ } ], "id": "audit_rules_dac_modification_fremovexattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fremovexattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -16192,187 +16192,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -16647,7 +16647,7 @@ } ], "id": "audit_rules_dac_modification_fsetxattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - fsetxattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -17012,187 +17012,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -17461,7 +17461,7 @@ } ], "id": "audit_rules_dac_modification_lchown", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - lchown", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -17820,187 +17820,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -18281,7 +18281,7 @@ } ], "id": "audit_rules_dac_modification_lremovexattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - lremovexattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -18646,187 +18646,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -19101,7 +19101,7 @@ } ], "id": "audit_rules_dac_modification_lsetxattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - lsetxattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -19460,187 +19460,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -19921,7 +19921,7 @@ } ], "id": "audit_rules_dac_modification_removexattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - removexattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nfollowing line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -20286,187 +20286,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -20723,7 +20723,7 @@ } ], "id": "audit_rules_dac_modification_setxattr", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - setxattr", "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -20794,11 +20794,11 @@ } ], "id": "audit_rules_dac_modification_umount", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - umount", "desc": "At a minimum, the audit system should collect file system umount\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nACTION_ARCH_FILTERS=\"-a always,exit -F arch=b32\"\nOTHER_FILTERS=\"\"\nAUID_FILTERS=\"-F auid>=1000 -F auid!=unset\"\nSYSCALL=\"umount\"\nKEY=\"perm_mod\"\nSYSCALL_GROUPING=\"\"\n\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nACTION_ARCH_FILTERS=\"-a always,exit -F arch=b32\"\nOTHER_FILTERS=\"\"\nAUID_FILTERS=\"-F auid>=1000 -F auid!=unset\"\nSYSCALL=\"umount\"\nKEY=\"perm_mod\"\nSYSCALL_GROUPING=\"\"\n\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -20866,7 +20866,7 @@ } ], "id": "audit_rules_dac_modification_umount2", - "title": "undefined title", + "title": "Record Events that Modify the System's Discretionary Access Controls - umount2", "desc": "At a minimum, the audit system should collect file system umount2\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:", "impact": 0.5, "descs": {} @@ -20954,7 +20954,7 @@ } ], "id": "audit_rules_execution_chacl", - "title": "undefined title", + "title": "Record Any Attempts to Run chacl", "desc": "At a minimum, the audit system should collect any execution attempt\nof thecommand for all users and root. If thedaemon is configured to use theprogram to read audit rules\nduring daemon startup (the default), add the following lines to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:", "impact": 0.5, "descs": {} @@ -21229,85 +21229,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -21480,7 +21480,7 @@ } ], "id": "audit_rules_execution_chcon", - "title": "undefined title", + "title": "Record Any Attempts to Run chcon", "desc": "At a minimum, the audit system should collect any execution attempt\nof thecommand for all users and root. If thedaemon is configured to use theprogram to read audit rules\nduring daemon startup (the default), add the following lines to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:", "impact": 0.5, "descs": {} @@ -21562,7 +21562,7 @@ } ], "id": "audit_rules_execution_setfacl", - "title": "undefined title", + "title": "Record Any Attempts to Run setfacl", "desc": "At a minimum, the audit system should collect any execution attempt\nof thecommand for all users and root. If thedaemon is configured to use theprogram to read audit rules\nduring daemon startup (the default), add the following lines to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:", "impact": 0.5, "descs": {} @@ -21915,205 +21915,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -22394,7 +22394,7 @@ } ], "id": "audit_rules_file_deletion_events_rename", - "title": "undefined title", + "title": "Ensure auditd Collects File Deletion Events by User - rename", "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -22747,205 +22747,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -23226,7 +23226,7 @@ } ], "id": "audit_rules_file_deletion_events_renameat", - "title": "undefined title", + "title": "Ensure auditd Collects File Deletion Events by User - renameat", "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -23573,205 +23573,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -24046,7 +24046,7 @@ } ], "id": "audit_rules_file_deletion_events_rmdir", - "title": "undefined title", + "title": "Ensure auditd Collects File Deletion Events by User - rmdir", "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -24399,205 +24399,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -24878,7 +24878,7 @@ } ], "id": "audit_rules_file_deletion_events_unlink", - "title": "undefined title", + "title": "Ensure auditd Collects File Deletion Events by User - unlink", "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -25231,205 +25231,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -25710,7 +25710,7 @@ } ], "id": "audit_rules_file_deletion_events_unlinkat", - "title": "undefined title", + "title": "Ensure auditd Collects File Deletion Events by User - unlinkat", "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -26034,121 +26034,121 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -26435,7 +26435,7 @@ } ], "id": "audit_rules_immutable", - "title": "undefined title", + "title": "Make the auditd Configuration Immutable", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryin order to make the auditd configuration\nimmutable:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile in order to make the auditd configuration\nimmutable:With this setting, a reboot will be required to change any audit rules.", "impact": 0.5, "descs": { @@ -26791,187 +26791,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -27234,11 +27234,11 @@ } ], "id": "audit_rules_kernel_module_loading_delete", - "title": "undefined title", + "title": "Ensure auditd Collects Information on Kernel Module Unloading - delete_module", "desc": "To capture kernel module unloading events, use following line, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:Place to add the line depends on a waydaemon is configured. If it is configured\nto use theprogram (the default), add the line to a file with suffixin the directory.\n\nIf thedaemon is configured to use theutility,\nadd the line to file.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"delete_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"delete_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"delete_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"delete_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -27584,187 +27584,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -28027,11 +28027,11 @@ } ], "id": "audit_rules_kernel_module_loading_finit", - "title": "undefined title", + "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module", "desc": "If thedaemon is configured to use theprogram\nto read audit rules during daemon startup (the default), add the following lines to a file\nwith suffixin the directoryto capture kernel module\nloading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:If thedaemon is configured to use theutility to read audit\nrules during daemon startup, add the following lines tofile\nin order to capture kernel module loading and unloading events, setting ARCH to either b32 or\nb64 as appropriate for your system:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"finit_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"init_module finit_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"finit_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"init_module finit_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -28383,187 +28383,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -28826,11 +28826,11 @@ } ], "id": "audit_rules_kernel_module_loading_init", - "title": "undefined title", + "title": "Ensure auditd Collects Information on Kernel Module Loading - init_module", "desc": "To capture kernel module loading events, use following line, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:Place to add the line depends on a waydaemon is configured. If it is configured\nto use theprogram (the default), add the line to a file with suffixin the directory.\n\nIf thedaemon is configured to use theutility,\nadd the line to file.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"init_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"init_module finit_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>\n# it's required on a 64-bit system to check also for the presence\n# of 32-bit's equivalent of the corresponding rule.\n# (See `man 7 audit.rules` for details )\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"init_module\"\n\tKEY=\"modules\"\n\tSYSCALL_GROUPING=\"init_module finit_module\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\t# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -28886,7 +28886,7 @@ } ], "id": "audit_rules_login_events_faillog", - "title": "undefined title", + "title": "Record Attempts to Alter Logon and Logout Events - faillog", "desc": "The audit system already collects login information for all users\nand root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing logon events:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for unattempted manual\nedits of files involved in storing logon events:", "impact": 0.5, "descs": {} @@ -29239,187 +29239,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -29682,7 +29682,7 @@ } ], "id": "audit_rules_login_events_lastlog", - "title": "undefined title", + "title": "Record Attempts to Alter Logon and Logout Events - lastlog", "desc": "The audit system already collects login information for all users\nand root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing logon events:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for unattempted manual\nedits of files involved in storing logon events:", "impact": 0.5, "descs": {} @@ -30029,187 +30029,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -30442,7 +30442,7 @@ } ], "id": "audit_rules_login_events_tallylog", - "title": "undefined title", + "title": "Record Attempts to Alter Logon and Logout Events - tallylog", "desc": "The audit system already collects login information for all users\nand root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing logon events:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for unattempted manual\nedits of files involved in storing logon events:", "impact": 0.5, "descs": {} @@ -30771,187 +30771,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -31154,7 +31154,7 @@ } ], "id": "audit_rules_mac_modification", - "title": "undefined title", + "title": "Record Events that Modify the System's Mandatory Access Controls", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:", "impact": 0.5, "descs": {} @@ -31501,187 +31501,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -31920,7 +31920,7 @@ } ], "id": "audit_rules_media_export", - "title": "undefined title", + "title": "Ensure auditd Collects Information on Exporting to Media (successful)", "desc": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -32255,187 +32255,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -32638,7 +32638,7 @@ } ], "id": "audit_rules_networkconfig_modification", - "title": "undefined title", + "title": "Record Events that Modify the System's Network Environment", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:", "impact": 0.5, "descs": {} @@ -32943,205 +32943,205 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -33446,7 +33446,7 @@ } ], "id": "audit_rules_privileged_commands", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands", "desc": "The audit system should collect information about usage of privileged\ncommands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition:If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add a line of\nthe following form to a file with suffixin the directoryfor each setuid / setgid program on the system,\nreplacing thepart with the full path of that setuid /\nsetgid program in the list:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform tofor each setuid / setgid program on the\nsystem, replacing thepart with the full path of that\nsetuid / setgid program in the list:", "impact": 0.5, "descs": {} @@ -33504,7 +33504,7 @@ } ], "id": "audit_rules_privileged_commands_at", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - at", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -33785,85 +33785,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -34072,7 +34072,7 @@ } ], "id": "audit_rules_privileged_commands_chage", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - chage", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -34148,7 +34148,7 @@ } ], "id": "audit_rules_privileged_commands_chfn", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - chfn", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -34435,85 +34435,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -34716,7 +34716,7 @@ } ], "id": "audit_rules_privileged_commands_chsh", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - chsh", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -34997,85 +34997,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -35224,7 +35224,7 @@ } ], "id": "audit_rules_privileged_commands_crontab", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - crontab", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -35505,85 +35505,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -35792,7 +35792,7 @@ } ], "id": "audit_rules_privileged_commands_gpasswd", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -35910,7 +35910,7 @@ } ], "id": "audit_rules_privileged_commands_insmod", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - insmod", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:", "impact": 0.5, "descs": {} @@ -36040,7 +36040,7 @@ } ], "id": "audit_rules_privileged_commands_kmod", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - kmod", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -36164,7 +36164,7 @@ } ], "id": "audit_rules_privileged_commands_modprobe", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - modprobe", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -36258,7 +36258,7 @@ } ], "id": "audit_rules_privileged_commands_mount", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - mount", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -36370,7 +36370,7 @@ } ], "id": "audit_rules_privileged_commands_newgidmap", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -36657,85 +36657,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -36944,7 +36944,7 @@ } ], "id": "audit_rules_privileged_commands_newgrp", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - newgrp", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -37056,7 +37056,7 @@ } ], "id": "audit_rules_privileged_commands_newuidmap", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -37331,85 +37331,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -37558,7 +37558,7 @@ } ], "id": "audit_rules_privileged_commands_pam_timestamp_check", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -37833,85 +37833,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -38120,7 +38120,7 @@ } ], "id": "audit_rules_privileged_commands_passwd", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - passwd", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -38401,85 +38401,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -38622,7 +38622,7 @@ } ], "id": "audit_rules_privileged_commands_postdrop", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - postdrop", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -38903,85 +38903,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -39124,7 +39124,7 @@ } ], "id": "audit_rules_privileged_commands_postqueue", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - postqueue", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -39200,7 +39200,7 @@ } ], "id": "audit_rules_privileged_commands_rmmod", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - rmmod", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:", "impact": 0.5, "descs": {} @@ -39282,7 +39282,7 @@ } ], "id": "audit_rules_privileged_commands_ssh_agent", - "title": "undefined title", + "title": "Record Any Attempts to Run ssh-agent", "desc": "At a minimum, the audit system should collect any execution attempt\nof thecommand for all users and root. If thedaemon is configured to use theprogram to read audit rules\nduring daemon startup (the default), add the following lines to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:", "impact": 0.5, "descs": {} @@ -39563,85 +39563,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -39796,7 +39796,7 @@ } ], "id": "audit_rules_privileged_commands_ssh_keysign", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -40083,85 +40083,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -40328,7 +40328,7 @@ } ], "id": "audit_rules_privileged_commands_su", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - su", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -40621,85 +40621,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -40860,7 +40860,7 @@ } ], "id": "audit_rules_privileged_commands_sudo", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - sudo", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -41147,85 +41147,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -41380,7 +41380,7 @@ } ], "id": "audit_rules_privileged_commands_sudoedit", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -41655,85 +41655,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -41870,7 +41870,7 @@ } ], "id": "audit_rules_privileged_commands_umount", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - umount", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -42157,85 +42157,85 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -42480,7 +42480,7 @@ } ], "id": "audit_rules_privileged_commands_unix_chkpwd", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -42568,7 +42568,7 @@ } ], "id": "audit_rules_privileged_commands_usermod", - "title": "undefined title", + "title": "Ensure auditd Collects Information on the Use of Privileged Commands - usermod", "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:", "impact": 0.5, "descs": {} @@ -42903,187 +42903,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -43286,7 +43286,7 @@ } ], "id": "audit_rules_session_events", - "title": "undefined title", + "title": "Record Attempts to Alter Process and Session Initiation Information", "desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:", "impact": 0.5, "descs": {} @@ -43332,7 +43332,7 @@ } ], "id": "audit_rules_session_events_btmp", - "title": "undefined title", + "title": "Record Attempts to Alter Process and Session Initiation Information btmp", "desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:", "impact": 0.5, "descs": {} @@ -43378,7 +43378,7 @@ } ], "id": "audit_rules_session_events_utmp", - "title": "undefined title", + "title": "Record Attempts to Alter Process and Session Initiation Information utmp", "desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:", "impact": 0.5, "descs": {} @@ -43424,7 +43424,7 @@ } ], "id": "audit_rules_session_events_wtmp", - "title": "undefined title", + "title": "Record Attempts to Alter Process and Session Initiation Information wtmp", "desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:", "impact": 0.5, "descs": {} @@ -43632,7 +43632,7 @@ } ], "id": "audit_rules_suid_privilege_function", - "title": "undefined title", + "title": "Record Events When Privileged Executables Are Run", "desc": "Verify the system generates an audit record when privileged functions are executed.If both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", "impact": 0.5, "descs": {} @@ -44016,277 +44016,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -44705,11 +44705,11 @@ } ], "id": "audit_rules_sysadmin_actions", - "title": "undefined title", + "title": "Ensure auditd Collects System Administrator Actions", "desc": "At a minimum, the audit system should collect administrator actions\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions\n find:\n paths: /etc/audit/rules.d\n recurse: false\n contains: ^.*/etc/sudoers.*$\n patterns: '*.rules'\n register: find_audit_sysadmin_actions\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule\n set_fact:\n all_sysadmin_actions_files:\n - /etc/audit/rules.d/actions.rules\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use matched file as the recipient for the rule\n set_fact:\n all_sysadmin_actions_files:\n - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first\n }}'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched\n > 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d\n lineinfile:\n path: '{{ all_sysadmin_actions_files[0] }}'\n line: -w /etc/sudoers -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d\n lineinfile:\n path: '{{ all_sysadmin_actions_files[0] }}'\n line: -w /etc/sudoers.d/ -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules\n lineinfile:\n path: /etc/audit/audit.rules\n line: -w /etc/sudoers -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules\n lineinfile:\n path: /etc/audit/audit.rules\n line: -w /etc/sudoers.d/ -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions\n find:\n paths: /etc/audit/rules.d\n recurse: false\n contains: ^.*/etc/sudoers.*$\n patterns: '*.rules'\n register: find_audit_sysadmin_actions\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule\n set_fact:\n all_sysadmin_actions_files:\n - /etc/audit/rules.d/actions.rules\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use matched file as the recipient for the rule\n set_fact:\n all_sysadmin_actions_files:\n - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first\n }}'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched\n > 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d\n lineinfile:\n path: '{{ all_sysadmin_actions_files[0] }}'\n line: -w /etc/sudoers -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d\n lineinfile:\n path: '{{ all_sysadmin_actions_files[0] }}'\n line: -w /etc/sudoers.d/ -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules\n lineinfile:\n path: /etc/audit/audit.rules\n line: -w /etc/sudoers -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules\n lineinfile:\n path: /etc/audit/audit.rules\n line: -w /etc/sudoers.d/ -p wa -k actions\n create: true\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-2(7)(b)\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.2.2\n - PCI-DSS-Req-10.2.5.b\n - audit_rules_sysadmin_actions\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -45055,187 +45055,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -45438,11 +45438,11 @@ } ], "id": "audit_rules_time_adjtimex", - "title": "undefined title", + "title": "Record attempts to alter time through adjtimex", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for adjtimex for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for adjtimex for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n\n - name: Check existence of adjtimex in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for adjtimex for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for adjtimex for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n\n - name: Check existence of adjtimex in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - adjtimex\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of adjtimex in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_adjtimex\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -45788,187 +45788,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -46171,11 +46171,11 @@ } ], "id": "audit_rules_time_clock_settime", - "title": "undefined title", + "title": "Record Attempts to Alter Time Through clock_settime", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if\ndesired, but is not required. See an example of multiple combined syscalls:", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for clock_settime for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\n set_fact: audit_file=\"/etc/audit/rules.d/time-change.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for clock_settime for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\n set_fact: audit_file=\"/etc/audit/rules.d/time-change.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for clock_settime for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\n set_fact: audit_file=\"/etc/audit/rules.d/time-change.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for clock_settime for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\n set_fact: audit_file=\"/etc/audit/rules.d/time-change.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - clock_settime\n syscall_grouping: []\n\n - name: Check existence of clock_settime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* -F a0=0x0 (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\n key=time-change\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_clock_settime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -46521,187 +46521,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -46904,11 +46904,11 @@ } ], "id": "audit_rules_time_settimeofday", - "title": "undefined title", + "title": "Record attempts to alter time through settimeofday", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for settimeofday for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for settimeofday for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Set architecture for audit tasks\n set_fact:\n audit_arch: b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for settimeofday for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for settimeofday for x86_64 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - settimeofday\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of settimeofday in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b64(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when:\n - '\"audit\" in ansible_facts.packages'\n - audit_arch == \"b64\"\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_settimeofday\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -47254,187 +47254,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -47637,11 +47637,11 @@ } ], "id": "audit_rules_time_stime", - "title": "undefined title", + "title": "Record Attempts to Alter Time Through stime", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryfor both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If thedaemon is configured to use theutility to\nread audit rules during daemon startup, add the following line tofile for both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_stime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for stime syscall for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - stime\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of stime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - stime\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of stime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_stime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_stime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Perform remediation of Audit rules for stime syscall for x86 platform\n block:\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - stime\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of stime in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: '*.rules'\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Reset syscalls found per file\n set_fact:\n syscalls_per_file: {}\n found_paths_dict: {}\n\n - name: Declare syscalls found per file\n set_fact: syscalls_per_file=\"{{ syscalls_per_file | combine( {item.files[0].path\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\"\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\n\n - name: Declare files where syscalls were found\n set_fact: found_paths=\"{{ find_command.results | map(attribute='files') | flatten\n | map(attribute='path') | list }}\"\n\n - name: Count occurrences of syscalls in paths\n set_fact: found_paths_dict=\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\n 0) }) }}\"\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\n | list }}'\n\n - name: Get path with most syscalls\n set_fact: audit_file=\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\n | last).key }}\"\n when: found_paths | length >= 1\n\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\n set_fact: audit_file=\"/etc/audit/rules.d/audit_time_rules.rules\"\n when: found_paths | length == 0\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n\n - name: Declare list of syscalls\n set_fact:\n syscalls:\n - stime\n syscall_grouping:\n - adjtimex\n - settimeofday\n - stime\n\n - name: Check existence of stime in /etc/audit/audit.rules\n find:\n paths: /etc/audit\n contains: -a always,exit -F arch=b32(( -S |,)\\w+)*(( -S |,){{ item }})+((\n -S |,)\\w+)* (-k\\s+|-F\\s+key=)\\S+\\s*$\n patterns: audit.rules\n register: find_command\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\n\n - name: Set path to /etc/audit/audit.rules\n set_fact: audit_file=\"/etc/audit/audit.rules\"\n\n - name: Declare found syscalls\n set_fact: syscalls_found=\"{{ find_command.results | selectattr('matched') |\n map(attribute='item') | list }}\"\n\n - name: Declare missing syscalls\n set_fact: missing_syscalls=\"{{ syscalls | difference(syscalls_found) }}\"\n\n - name: Replace the audit rule in {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found\n | join(\"|\") }}))\\b)((?:( -S |,)\\w+)+)( (?:-k |-F key=)\\w+)\n line: \\1\\2\\3{{ missing_syscalls | join(\"\\3\") }}\\4\n backrefs: true\n state: present\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\n\n - name: Add the audit rule to {{ audit_file }}\n lineinfile:\n path: '{{ audit_file }}'\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\n create: true\n mode: o-rwx\n state: present\n when: syscalls_found | length == 0\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_stime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -47987,187 +47987,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -48370,11 +48370,11 @@ } ], "id": "audit_rules_time_watch_localtime", - "title": "undefined title", + "title": "Record Attempts to Alter the localtime File", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport and\nshould always be used.", "impact": 0.5, "descs": { - "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: ^\\s*-w\\s+/etc/localtime\\s+-p\\s+wa(\\s|$)+\n patterns: '*.rules'\n register: find_existing_watch_rules_d\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules\n find:\n paths: /etc/audit/rules.d\n contains: ^.*(?:-F key=|-k\\s+)audit_time_rules$\n patterns: '*.rules'\n register: find_watch_key\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule\n set_fact:\n all_files:\n - /etc/audit/rules.d/audit_time_rules.rules\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched\n is defined and find_existing_watch_rules_d.matched == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use matched file as the recipient for the rule\n set_fact:\n all_files:\n - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched\n is defined and find_existing_watch_rules_d.matched == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/\n lineinfile:\n path: '{{ all_files[0] }}'\n line: -w /etc/localtime -p wa -k audit_time_rules\n create: true\n mode: '0640'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules\n find:\n paths: /etc/audit/\n contains: ^\\s*-w\\s+/etc/localtime\\s+-p\\s+wa(\\s|$)+\n patterns: audit.rules\n register: find_existing_watch_audit_rules\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules\n lineinfile:\n line: -w /etc/localtime -p wa -k audit_time_rules\n state: present\n dest: /etc/audit/audit.rules\n create: true\n mode: '0640'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" + "fix": "- name: Gather the package facts\n package_facts:\n manager: auto\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/\n find:\n paths: /etc/audit/rules.d\n contains: ^\\s*-w\\s+/etc/localtime\\s+-p\\s+wa(\\s|$)+\n patterns: '*.rules'\n register: find_existing_watch_rules_d\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules\n find:\n paths: /etc/audit/rules.d\n contains: ^.*(?:-F key=|-k\\s+)audit_time_rules$\n patterns: '*.rules'\n register: find_watch_key\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule\n set_fact:\n all_files:\n - /etc/audit/rules.d/audit_time_rules.rules\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched\n is defined and find_existing_watch_rules_d.matched == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Use matched file as the recipient for the rule\n set_fact:\n all_files:\n - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched\n is defined and find_existing_watch_rules_d.matched == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/\n lineinfile:\n path: '{{ all_files[0] }}'\n line: -w /etc/localtime -p wa -k audit_time_rules\n create: true\n mode: '0640'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules\n find:\n paths: /etc/audit/\n contains: ^\\s*-w\\s+/etc/localtime\\s+-p\\s+wa(\\s|$)+\n patterns: audit.rules\n register: find_existing_watch_audit_rules\n when: '\"audit\" in ansible_facts.packages'\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy\n\n- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules\n lineinfile:\n line: -w /etc/localtime -p wa -k audit_time_rules\n state: present\n dest: /etc/audit/audit.rules\n create: true\n mode: '0640'\n when:\n - '\"audit\" in ansible_facts.packages'\n - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched\n == 0\n tags:\n - CJIS-5.4.1.1\n - NIST-800-171-3.1.7\n - NIST-800-53-AC-6(9)\n - NIST-800-53-AU-12(c)\n - NIST-800-53-AU-2(d)\n - NIST-800-53-CM-6(a)\n - PCI-DSS-Req-10.4.2.b\n - audit_rules_time_watch_localtime\n - low_complexity\n - low_disruption\n - medium_severity\n - no_reboot_needed\n - restrict_strategy" } }, { @@ -48725,187 +48725,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -49174,7 +49174,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_creat", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - creat", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -49527,187 +49527,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -49976,7 +49976,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_ftruncate", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - ftruncate", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -50329,187 +50329,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -50778,7 +50778,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_open", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - open", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -51125,187 +51125,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -51574,7 +51574,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_open_by_handle_at", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - open_by_handle_at", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -51927,187 +51927,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -52376,7 +52376,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_openat", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - openat", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -52723,187 +52723,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -53172,7 +53172,7 @@ } ], "id": "audit_rules_unsuccessful_file_modification_truncate", - "title": "undefined title", + "title": "Record Unsuccessful Access Attempts to Files - truncate", "desc": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffixin the directory:If the system is 64 bit then also add the following lines:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile:If the system is 64 bit then also add the following lines:", "impact": 0.5, "descs": {} @@ -53501,277 +53501,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -54196,7 +54196,7 @@ } ], "id": "audit_rules_usergroup_modification", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -54615,277 +54615,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -55352,7 +55352,7 @@ } ], "id": "audit_rules_usergroup_modification_group", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information - /etc/group", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -55771,277 +55771,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -56508,7 +56508,7 @@ } ], "id": "audit_rules_usergroup_modification_gshadow", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information - /etc/gshadow", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -56927,277 +56927,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -57664,7 +57664,7 @@ } ], "id": "audit_rules_usergroup_modification_opasswd", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information - /etc/security/opasswd", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -58083,277 +58083,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -58844,7 +58844,7 @@ } ], "id": "audit_rules_usergroup_modification_passwd", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information - /etc/passwd", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -59263,277 +59263,277 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -60000,7 +60000,7 @@ } ], "id": "audit_rules_usergroup_modification_shadow", - "title": "undefined title", + "title": "Record Events that Modify User/Group Information - /etc/shadow", "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:", "impact": 0.5, "descs": {} @@ -60046,7 +60046,7 @@ } ], "id": "auditd_audispd_configure_remote_server", - "title": "undefined title", + "title": "Configure audispd Plugin To Send Logs To Remote Server", "desc": "Configure the audispd plugin to off-load audit records onto a different\nsystem or media from the system being audited.\nSet theoption inwith an IP address or hostname of the system that the audispd plugin should\nsend audit records to. For example", "impact": 0.5, "descs": {} @@ -60086,7 +60086,7 @@ } ], "id": "auditd_audispd_configure_sufficiently_large_partition", - "title": "undefined title", + "title": "Configure a Sufficiently Large Partition for Audit Logs", "desc": "The Ubuntu 20.04 operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records when audit\nrecords are not immediately sent to a central audit record storage\nfacility.\n\nThe partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable. In normal circumstances, 10.0 GB of storage space for audit\nrecords will be sufficient.\n\nDetermine which partition the audit records are being written to with the\nfollowing command:Check the size of the partition that audit records are written to with the\nfollowing command:", "impact": 0.5, "descs": {} @@ -60326,97 +60326,97 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -60535,11 +60535,11 @@ } ], "id": "auditd_audispd_syslog_plugin_activated", - "title": "undefined title", + "title": "Configure auditd to use audispd's syslog plugin", "desc": "To configure theservice to use theplug-in of theaudit event multiplexor, set\ntheline into.\nRestart theservice:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nvar_syslog_active=\"yes\"\n\n\nAUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDISP_SYSLOGCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^active\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_syslog_active\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^active\\\\>\" \"$AUDISP_SYSLOGCONFIG\"; then\n \"${sed_command[@]}\" \"s/^active\\\\>.*/$formatted_output/gi\" \"$AUDISP_SYSLOGCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"$AUDISP_SYSLOGCONFIG\" >> \"$AUDISP_SYSLOGCONFIG\"\n printf '%s\\n' \"$formatted_output\" >> \"$AUDISP_SYSLOGCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nvar_syslog_active=\"yes\"\n\n\nAUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDISP_SYSLOGCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^active\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_syslog_active\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^active\\\\>\" \"$AUDISP_SYSLOGCONFIG\"; then\n \"${sed_command[@]}\" \"s/^active\\\\>.*/$formatted_output/gi\" \"$AUDISP_SYSLOGCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"$AUDISP_SYSLOGCONFIG\" >> \"$AUDISP_SYSLOGCONFIG\"\n printf '%s\\n' \"$formatted_output\" >> \"$AUDISP_SYSLOGCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -60728,109 +60728,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -60967,7 +60967,7 @@ } ], "id": "auditd_data_disk_error_action", - "title": "undefined title", + "title": "Configure auditd Disk Error Action on Disk Error", "desc": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.", "impact": 0.5, "descs": {} @@ -61158,109 +61158,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -61403,7 +61403,7 @@ } ], "id": "auditd_data_disk_full_action", - "title": "undefined title", + "title": "Configure auditd Disk Full Action when Disk Space Is Full", "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.", "impact": 0.5, "descs": {} @@ -61624,109 +61624,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -61965,7 +61965,7 @@ } ], "id": "auditd_data_retention_action_mail_acct", - "title": "undefined title", + "title": "Configure auditd mail_acct Action on Low Disk Space", "desc": "Theservice can be configured to send email to\na designated account in certain situations. Add or correct the following line\ninto ensure that administrators are notified\nvia email for those situations:", "impact": 0.5, "descs": {} @@ -62192,109 +62192,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -62437,7 +62437,7 @@ } ], "id": "auditd_data_retention_admin_space_left_action", - "title": "undefined title", + "title": "Configure auditd admin_space_left Action on Low Disk Space", "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single user\nmode for corrective action. Acceptable values also includeand. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.", "impact": 0.5, "descs": {} @@ -62616,97 +62616,97 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -62849,7 +62849,7 @@ } ], "id": "auditd_data_retention_max_log_file", - "title": "undefined title", + "title": "Configure auditd Max Log File Size", "desc": "Determine the amount of audit data (in megabytes)\nwhich should be retained in each log file. Edit the file. Add or modify the following line, substituting\nthe correct value offor:Set the value to(MB) or higher for general-purpose systems.\nLarger values, of course,\nsupport retention of even more audit data.", "impact": 0.5, "descs": {} @@ -63058,109 +63058,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -63303,7 +63303,7 @@ } ], "id": "auditd_data_retention_max_log_file_action", - "title": "undefined title", + "title": "Configure auditd max_log_file_action Upon Reaching Maximum Log Size", "desc": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.", "impact": 0.5, "descs": {} @@ -63483,97 +63483,97 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -63716,11 +63716,11 @@ } ], "id": "auditd_data_retention_num_logs", - "title": "undefined title", + "title": "Configure auditd Number of Logs Retained", "desc": "Determine how many log filesshould retain when it rotates logs.\nEdit the file. Add or modify the following\nline, substitutingwith the correct value of:Set the value to 5 for general-purpose systems.\nNote that values less than 2 result in no log rotation.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n\nvar_auditd_num_logs=\"\"\n\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^num_logs\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_num_logs\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^num_logs\\\\>\" \"$AUDITCONFIG\"; then\n \"${sed_command[@]}\" \"s/^num_logs\\\\>.*/$formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"$AUDITCONFIG\" >> \"$AUDITCONFIG\"\n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\n\nvar_auditd_num_logs=\"\"\n\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^num_logs\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_num_logs\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^num_logs\\\\>\" \"$AUDITCONFIG\"; then\n \"${sed_command[@]}\" \"s/^num_logs\\\\>.*/$formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"$AUDITCONFIG\" >> \"$AUDITCONFIG\"\n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -63909,109 +63909,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -64160,7 +64160,7 @@ } ], "id": "auditd_data_retention_space_left", - "title": "undefined title", + "title": "Configure auditd space_left on Low Disk Space", "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value to the appropriate size in Megabytes cause the system to\nnotify the user of an issue.", "impact": 0.5, "descs": {} @@ -64375,109 +64375,109 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -64626,7 +64626,7 @@ } ], "id": "auditd_data_retention_space_left_action", - "title": "undefined title", + "title": "Configure auditd space_left Action on Low Disk Space", "desc": "Theservice can be configured to take an action\nwhen disk spaceto run low.\nEdit the file. Modify the following line,\nsubstitutingappropriately:Possible values forare described in theman page.\nThese include:Set this to(instead of the default,\nwhich is) as it is more likely to get prompt attention. Acceptable values\nalso include,, and.", "impact": 0.5, "descs": {} @@ -64655,11 +64655,11 @@ } ], "id": "auditd_freq", - "title": "undefined title", + "title": "Set number of records to cause an explicit flush to audit logs", "desc": "To configure Audit daemon to issue an explicit flush to disk command\nafter writing 50 records, settoin.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*freq\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"freq = 50\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*freq\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"freq = 50\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -64698,11 +64698,11 @@ } ], "id": "auditd_local_events", - "title": "undefined title", + "title": "Include Local Events in Audit Logs", "desc": "To configure Audit daemon to include local events in Audit logs, settoin.\nThis is the default setting.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*local_events\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"local_events = yes\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*local_events\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"local_events = yes\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -64741,11 +64741,11 @@ } ], "id": "auditd_log_format", - "title": "undefined title", + "title": "Resolve information before writing to audit logs", "desc": "To configure Audit daemon to resolve all uid, gid, syscall,\narchitecture, and socket address information before writing the\nevents to disk, settoin.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*log_format\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"log_format = ENRICHED\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*log_format\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"log_format = ENRICHED\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -64790,11 +64790,11 @@ } ], "id": "auditd_name_format", - "title": "undefined title", + "title": "Set hostname as computer node name in audit logs", "desc": "To configure Audit daemon to use value returned by gethostname\nsyscall as computer node name in the audit events,\nsettoin.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*name_format\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"name_format = hostname\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*name_format\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"name_format = hostname\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -64832,7 +64832,7 @@ } ], "id": "auditd_overflow_action", - "title": "undefined title", + "title": "Appropriate Action Must be Setup When the Internal Audit Event Queue is Full", "desc": "The audit system should have an action setup in the event the internal event queue becomes full.\nTo setup an overflow action edit. Setto one of the following values:,,.", "impact": 0.5, "descs": {} @@ -64861,11 +64861,11 @@ } ], "id": "auditd_write_logs", - "title": "undefined title", + "title": "Write Audit Logs to the Disk", "desc": "To configure Audit daemon to write Audit logs to the disk, settoin.\nThis is the default setting.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*write_logs\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"write_logs = yes\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/audit/auditd.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*write_logs\\s*=\\s*/Id\" \"/etc/audit/auditd.conf\"\nelse\n touch \"/etc/audit/auditd.conf\"\nfi\ncp \"/etc/audit/auditd.conf\" \"/etc/audit/auditd.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"write_logs = yes\" >> \"/etc/audit/auditd.conf\"\n# Clean up after ourselves.\nrm \"/etc/audit/auditd.conf.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -64946,265 +64946,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -65281,7 +65281,7 @@ } ], "id": "avahi_disable_publishing", - "title": "undefined title", + "title": "Disable Avahi Publishing", "desc": "To prevent Avahi from publishing its records, editand ensure the following line appears in thesection:", "impact": 0.3, "descs": {} @@ -65382,67 +65382,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -65519,7 +65519,7 @@ } ], "id": "chronyd_or_ntpd_set_maxpoll", - "title": "undefined title", + "title": "Configure Time Service Maxpoll Interval", "desc": "Theshould be configured toinorto continuously poll time servers. To configureinoradd the following:", "impact": 0.5, "descs": {} @@ -65542,11 +65542,11 @@ } ], "id": "chronyd_run_as_chrony_user", - "title": "undefined title", + "title": "Ensure that chronyd is running under chrony user account", "desc": "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at.\nChrony can be configured to be a client and/or a server.\nTo ensure that chronyd is running under chrony user account, Add or edit thevariable into include:This recommendation only applies if chrony is in use on the system.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'chrony' 2>/dev/null | grep -q installed; }; then\n\nif grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then\n\t# trying to solve cases where the parameter after OPTIONS\n\t#may or may not be enclosed in quotes\n\tsed -i -E -e 's/\\s*-u\\s+\\w+\\s*/ /' -e 's/^([\\s]*OPTIONS=[\"]?[^\"]*)(\"?)/\\1 -u chrony\\2/' /etc/sysconfig/chronyd\nelse\n\techo 'OPTIONS=\"-u chrony\"' >> /etc/sysconfig/chronyd\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'chrony' 2>/dev/null | grep -q installed; }; then\n\nif grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then\n\t# trying to solve cases where the parameter after OPTIONS\n\t#may or may not be enclosed in quotes\n\tsed -i -E -e 's/\\s*-u\\s+\\w+\\s*/ /' -e 's/^([\\s]*OPTIONS=[\"]?[^\"]*)(\"?)/\\1 -u chrony\\2/' /etc/sysconfig/chronyd\nelse\n\techo 'OPTIONS=\"-u chrony\"' >> /etc/sysconfig/chronyd\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -65603,11 +65603,11 @@ } ], "id": "chronyd_specify_remote_server", - "title": "undefined title", + "title": "A remote time server for Chrony is configured", "desc": "is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information oncan be found at.can be configured to be a client and/or a server.\nAdd or edit server or pool lines toas appropriate:Multiple servers may be configured.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'chrony' 2>/dev/null | grep -q installed; }; then\n\n\nvar_multiple_time_servers=\"\"\n\n\n\nconfig_file=\"/etc/chrony.conf\"\n\nif ! grep -q '^[\\s]*(?:server|pool)[\\s]+[\\w]+' \"$config_file\" ; then\n if ! grep -q '#[[:space:]]*server' \"$config_file\" ; then\n for server in $(echo \"$var_multiple_time_servers\" | tr ',' '\\n') ; do\n printf '\\nserver %s' \"$server\" >> \"$config_file\"\n done\n else\n sed -i 's/#[ \\t]*server/server/g' \"$config_file\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'chrony' 2>/dev/null | grep -q installed; }; then\n\n\nvar_multiple_time_servers=\"\"\n\n\n\nconfig_file=\"/etc/chrony.conf\"\n\nif ! grep -q '^[\\s]*(?:server|pool)[\\s]+[\\w]+' \"$config_file\" ; then\n if ! grep -q '#[[:space:]]*server' \"$config_file\" ; then\n for server in $(echo \"$var_multiple_time_servers\" | tr ',' '\\n') ; do\n printf '\\nserver %s' \"$server\" >> \"$config_file\"\n done\n else\n sed -i 's/#[ \\t]*server/server/g' \"$config_file\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -65694,25 +65694,25 @@ { "ref": "4.2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { @@ -65795,7 +65795,7 @@ } ], "id": "clean_components_post_updating", - "title": "undefined title", + "title": "Ensure apt_get Removes Previous Package Versions", "desc": "should be configured to remove previous software components after\nnew versions have been installed. To configureto remove the\n\nprevious software components after updating, set theandtoin.", "impact": 0.3, "descs": {} @@ -65810,7 +65810,7 @@ }, "refs": [], "id": "configure_user_data_backups", - "title": "undefined title", + "title": "Configure Backups of User Data", "desc": "The operating system must conduct backups of user data contained\nin the operating system. The operating system provides utilities for\nautomating backups of user data. Commercial and open-source products\nare also available.", "impact": 0.5, "descs": {} @@ -65845,11 +65845,11 @@ } ], "id": "coredump_disable_backtraces", - "title": "undefined title", + "title": "Disable core dump backtraces", "desc": "Theoption insection\nofspecifies the maximum size in bytes of a core which will be processed.\nCore dumps exceeding this size may be stored, but the backtrace will not\nbe generated.", "impact": 0.5, "descs": { - "fix": "if [ -e \"/etc/systemd/coredump.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ProcessSizeMax\\s*=\\s*/Id\" \"/etc/systemd/coredump.conf\"\nelse\n touch \"/etc/systemd/coredump.conf\"\nfi\ncp \"/etc/systemd/coredump.conf\" \"/etc/systemd/coredump.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"ProcessSizeMax=0\" >> \"/etc/systemd/coredump.conf\"\n# Clean up after ourselves.\nrm \"/etc/systemd/coredump.conf.bak\"" + "fix": "if [ -e \"/etc/systemd/coredump.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ProcessSizeMax\\s*=\\s*/Id\" \"/etc/systemd/coredump.conf\"\nelse\n touch \"/etc/systemd/coredump.conf\"\nfi\ncp \"/etc/systemd/coredump.conf\" \"/etc/systemd/coredump.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"ProcessSizeMax=0\" >> \"/etc/systemd/coredump.conf\"\n# Clean up after ourselves.\nrm \"/etc/systemd/coredump.conf.bak\"" } }, { @@ -65882,11 +65882,11 @@ } ], "id": "coredump_disable_storage", - "title": "undefined title", + "title": "Disable storing core dump", "desc": "Theoption insection\nofcan be set toto disable storing core dumps permanently.", "impact": 0.5, "descs": { - "fix": "if [ -e \"/etc/systemd/coredump.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*Storage\\s*=\\s*/Id\" \"/etc/systemd/coredump.conf\"\nelse\n touch \"/etc/systemd/coredump.conf\"\nfi\ncp \"/etc/systemd/coredump.conf\" \"/etc/systemd/coredump.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"Storage=none\" >> \"/etc/systemd/coredump.conf\"\n# Clean up after ourselves.\nrm \"/etc/systemd/coredump.conf.bak\"" + "fix": "if [ -e \"/etc/systemd/coredump.conf\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*Storage\\s*=\\s*/Id\" \"/etc/systemd/coredump.conf\"\nelse\n touch \"/etc/systemd/coredump.conf\"\nfi\ncp \"/etc/systemd/coredump.conf\" \"/etc/systemd/coredump.conf.bak\"\n# Insert at the end of the file\nprintf '%s\\n' \"Storage=none\" >> \"/etc/systemd/coredump.conf\"\n# Clean up after ourselves.\nrm \"/etc/systemd/coredump.conf.bak\"" } }, { @@ -65998,97 +65998,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -66183,11 +66183,11 @@ } ], "id": "dconf_gnome_banner_enabled", - "title": "undefined title", + "title": "Enable GNOME3 Login Warning Banner", "desc": "In the default graphical environment, displaying a login warning banner\nin the GNOME Display Manager's login screen can be enabled on the login\nscreen by settingto.To enable, add or editto. For example:Once the setting has been added, add a lock toto prevent user modification.\nFor example:After the settings have been set, run.\nThe banner text must also be set.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/login-screen\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/gdm.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/gdm.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/login-screen]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"banner-message-enable\" \"true\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"true\")\"\n if grep -q \"^\\\\s*banner-message-enable\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*banner-message-enable\\\\s*=\\\\s*.*/banner-message-enable=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/login-screen\\\\]|a\\\\banner-message-enable=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/login-screen/banner-message-enable$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/gdm.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/login-screen/banner-message-enable\" >> \"/etc/dconf/db/gdm.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/login-screen\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/gdm.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/gdm.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/login-screen]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"banner-message-enable\" \"true\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"true\")\"\n if grep -q \"^\\\\s*banner-message-enable\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*banner-message-enable\\\\s*=\\\\s*.*/banner-message-enable=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/login-screen\\\\]|a\\\\banner-message-enable=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/login-screen/banner-message-enable$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/gdm.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/login-screen/banner-message-enable\" >> \"/etc/dconf/db/gdm.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -66287,19 +66287,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -66484,11 +66484,11 @@ } ], "id": "dconf_gnome_disable_ctrlaltdel_reboot", - "title": "undefined title", + "title": "Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3", "desc": "By default,will reboot the system if thekey sequence is pressed.To configure the system to ignore thekey sequence\nfrom the Graphical User Interface (GUI) instead of rebooting the system,\nadd or settoin. For example:Once the settings have been added, add a lock toto prevent\nuser modification. For example:After the settings have been set, run.", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/settings-daemon/plugins/media-keys\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/local.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/local.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/settings-daemon/plugins/media-keys]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"logout\" \"''\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"''\")\"\n if grep -q \"^\\\\s*logout\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*logout\\\\s*=\\\\s*.*/logout=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/settings-daemon/plugins/media-keys\\\\]|a\\\\logout=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/settings-daemon/plugins/media-keys/logout$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/local.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/settings-daemon/plugins/media-keys/logout\" >> \"/etc/dconf/db/local.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/settings-daemon/plugins/media-keys\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/local.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/local.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/settings-daemon/plugins/media-keys]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"logout\" \"''\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"''\")\"\n if grep -q \"^\\\\s*logout\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*logout\\\\s*=\\\\s*.*/logout=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/settings-daemon/plugins/media-keys\\\\]|a\\\\logout=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/settings-daemon/plugins/media-keys/logout$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/local.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/settings-daemon/plugins/media-keys/logout\" >> \"/etc/dconf/db/local.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -66521,11 +66521,11 @@ } ], "id": "dconf_gnome_disable_user_list", - "title": "undefined title", + "title": "Disable the GNOME3 Login User List", "desc": "In the default graphical environment, users logging directly into the\nsystem are greeted with a login screen that displays all known users.\nThis functionality should be disabled by settingto.To disable, add or editto. For example:Once the setting has been added, add a lock toto prevent\nuser modification. For example:After the settings have been set, run.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/login-screen\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/gdm.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/gdm.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/login-screen]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"disable-user-list\" \"true\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"true\")\"\n if grep -q \"^\\\\s*disable-user-list\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*disable-user-list\\\\s*=\\\\s*.*/disable-user-list=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/login-screen\\\\]|a\\\\disable-user-list=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/login-screen/disable-user-list$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/gdm.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/login-screen/disable-user-list\" >> \"/etc/dconf/db/gdm.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Check for setting in any of the DConf db directories\n# If files contain ibus or distro, ignore them.\n# The assignment assumes that individual filenames don't contain :\nreadarray -t SETTINGSFILES < <(grep -r \"\\\\[org/gnome/login-screen\\\\]\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nDCONFFILE=\"/etc/dconf/db/gdm.d/00-security-settings\"\nDBDIR=\"/etc/dconf/db/gdm.d\"\n\nmkdir -p \"${DBDIR}\"\n\nif [ \"${#SETTINGSFILES[@]}\" -eq 0 ]\nthen\n [ ! -z ${DCONFFILE} ] || echo \"\" >> ${DCONFFILE}\n printf '%s\\n' \"[org/gnome/login-screen]\" >> ${DCONFFILE}\n printf '%s=%s\\n' \"disable-user-list\" \"true\" >> ${DCONFFILE}\nelse\n escaped_value=\"$(sed -e 's/\\\\/\\\\\\\\/g' <<< \"true\")\"\n if grep -q \"^\\\\s*disable-user-list\\\\s*=\" \"${SETTINGSFILES[@]}\"\n then\n \n sed -i \"s/\\\\s*disable-user-list\\\\s*=\\\\s*.*/disable-user-list=${escaped_value}/g\" \"${SETTINGSFILES[@]}\"\n else\n sed -i \"\\\\|\\\\[org/gnome/login-screen\\\\]|a\\\\disable-user-list=${escaped_value}\" \"${SETTINGSFILES[@]}\"\n fi\nfi\n\ndconf update\n# Check for setting in any of the DConf db directories\nLOCKFILES=$(grep -r \"^/org/gnome/login-screen/disable-user-list$\" \"/etc/dconf/db/\" | grep -v 'distro\\|ibus' | cut -d\":\" -f1)\nLOCKSFOLDER=\"/etc/dconf/db/gdm.d/locks\"\n\nmkdir -p \"${LOCKSFOLDER}\"\n\nif [[ -z \"${LOCKFILES}\" ]]\nthen\n echo \"/org/gnome/login-screen/disable-user-list\" >> \"/etc/dconf/db/gdm.d/locks/00-security-settings-lock\"\nfi\n\ndconf update\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -66600,97 +66600,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -66779,7 +66779,7 @@ } ], "id": "dconf_gnome_login_banner_text", - "title": "undefined title", + "title": "Set the GNOME3 Login Warning Banner Text", "desc": "In the default graphical environment, configuring the login warning banner text\nin the GNOME Display Manager's login screen can be configured on the login\nscreen by settingtowhereis the approved banner for your environment.To enable, add or editto. For example:Once the setting has been added, add a lock toto prevent user modification.\nFor example:After the settings have been set, run.\nWhen entering a warning banner that spans several lines, remember\nto begin and end the string withand usefor new lines.", "impact": 0.5, "descs": {} @@ -66868,97 +66868,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -67041,7 +67041,7 @@ } ], "id": "dconf_gnome_screensaver_lock_enabled", - "title": "undefined title", + "title": "Enable GNOME3 Screensaver Lock After Idle Period", "desc": "To activate locking of the screensaver in the GNOME3 desktop when it is activated,\nadd or settoin. For example:Once the settings have been added, add a lock toto prevent user modification.\nFor example:After the settings have been set, run.", "impact": 0.5, "descs": {} @@ -67056,7 +67056,7 @@ }, "refs": [], "id": "dhcp_client_restrict_options", - "title": "undefined title", + "title": "Minimize the DHCP-Configured Options", "desc": "Create the file, and add an\nappropriate setting for each of the ten configuration settings which can be\nobtained via DHCP. For each setting, do one of the following:If the setting shouldbe configured remotely by the DHCP server,\nselect an appropriate static value, and add the line:If the setting should be configured remotely by the DHCP server, add the lines:For example, suppose the DHCP server should provide only the IP address itself\nand the subnet mask. Then the entire file should look like:", "impact": 0.5, "descs": {} @@ -67139,265 +67139,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -67474,7 +67474,7 @@ } ], "id": "dhcp_server_minimize_served_info", - "title": "undefined title", + "title": "Minimize Served Information", "desc": "Edit /etc/dhcp/dhcpd.conf. Examine each address range section within\nthe file, and ensure that the following options are not defined unless there is\nan operational need to provide this information via DHCP:", "impact": 0.5, "descs": {} @@ -67520,7 +67520,7 @@ } ], "id": "dir_ownership_library_dirs", - "title": "undefined title", + "title": "Verify that Shared Library Directories Have Root Ownership", "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directories, is found to be owned\nby a user other than root correct its\nownership with the following command:", "impact": 0.5, "descs": {} @@ -67573,7 +67573,7 @@ } ], "id": "dir_permissions_library_dirs", - "title": "undefined title", + "title": "Verify that Shared Library Directories Have Restrictive Permissions", "desc": "System-wide shared library directories, which contain are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All sub-directories in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:", "impact": 0.5, "descs": { @@ -67682,19 +67682,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -67927,7 +67927,7 @@ } ], "id": "dir_perms_world_writable_sticky_bits", - "title": "undefined title", + "title": "Verify that All World-Writable Directories Have Sticky Bits Set", "desc": "When the so-called 'sticky bit' is set on a directory,\nonly the owner of a given file may remove that file from the\ndirectory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky\nbit prevents users from removing each other's files. In cases where\nthere is no reason for a directory to be world-writable, a better\nsolution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application,\nconsult that application's documentation instead of blindly\nchanging modes.To set the sticky bit on a world-writable directory, run the\nfollowing command:", "impact": 0.5, "descs": {} @@ -67974,11 +67974,11 @@ } ], "id": "directory_access_var_log_audit", - "title": "undefined title", + "title": "Record Access Events to Audit Log Directory", "desc": "The audit system should collect access events to read audit log directory.\nThe following audit rule will assure that access to audit log directory are\ncollected.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nrule to a file with suffixin the directory.\nIf thedaemon is configured to use theutility to read audit rules during daemon startup, add the rule tofile.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\nACTION_ARCH_FILTERS=\"-a always,exit\"\nOTHER_FILTERS=\"-F dir=/var/log/audit/ -F perm=r\"\nAUID_FILTERS=\"-F auid>=1000 -F auid!=unset\"\nSYSCALL=\"\"\nKEY=\"access-audit-trail\"\nSYSCALL_GROUPING=\"\"\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\nACTION_ARCH_FILTERS=\"-a always,exit\"\nOTHER_FILTERS=\"-F dir=/var/log/audit/ -F perm=r\"\nAUID_FILTERS=\"-F auid>=1000 -F auid!=unset\"\nSYSCALL=\"\"\nKEY=\"access-audit-trail\"\nSYSCALL_GROUPING=\"\"\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n# \n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# Indicator that we want to append $full_rule into $audit_file or edit a rule in it\nappend_expected_rule=0\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\"\n if [ $? -ne 0 ]\n then\n candidate_rules+=(\"$s_rule\")\n fi\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n fi\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [[ $candidate_rules ]]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [[ ${syscall_a} ]]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\")\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\")\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\"\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\"\n if [ $? -eq 1 ]\n then\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n fi\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -68167,115 +68167,115 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -68616,7 +68616,7 @@ } ], "id": "directory_permissions_var_log_audit", - "title": "undefined title", + "title": "System Audit Logs Must Have Mode 0750 or Less Permissive", "desc": "Ifinis set to a group other than thegroup account, change the mode of the audit log files with the following command:Otherwise, change the mode of the audit log files with the following command:", "impact": 0.5, "descs": {} @@ -68784,19 +68784,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -69041,11 +69041,11 @@ } ], "id": "disable_ctrlaltdel_burstaction", - "title": "undefined title", + "title": "Disable Ctrl-Alt-Del Burst Action", "desc": "By default,will reboot the system if thekey sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.To configure the system to ignore thesetting, add or modify the following to:", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'systemd' 2>/dev/null | grep -q installed; then\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/systemd/system.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^CtrlAltDelBurstAction=\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s=%s\" \"$stripped_key\" \"none\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^CtrlAltDelBurstAction=\\\\>\" \"/etc/systemd/system.conf\"; then\n \"${sed_command[@]}\" \"s/^CtrlAltDelBurstAction=\\\\>.*/$formatted_output/gi\" \"/etc/systemd/system.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/systemd/system.conf\" >> \"/etc/systemd/system.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/systemd/system.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'systemd' 2>/dev/null | grep -q installed; then\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/systemd/system.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^CtrlAltDelBurstAction=\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s=%s\" \"$stripped_key\" \"none\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^CtrlAltDelBurstAction=\\\\>\" \"/etc/systemd/system.conf\"; then\n \"${sed_command[@]}\" \"s/^CtrlAltDelBurstAction=\\\\>.*/$formatted_output/gi\" \"/etc/systemd/system.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/systemd/system.conf\" >> \"/etc/systemd/system.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/systemd/system.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -69211,19 +69211,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -69462,11 +69462,11 @@ } ], "id": "disable_ctrlaltdel_reboot", - "title": "undefined title", + "title": "Disable Ctrl-Alt-Del Reboot Activation", "desc": "By default,will reboot the system if thekey sequence is pressed.To configure the system to ignore thekey sequence from the\n\ncommand line instead of rebooting the system, do either of the following:orDo not simply delete thefile,\nas this file may be restored during future system updates.", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nsystemctl disable --now ctrl-alt-del.target\nsystemctl mask --now ctrl-alt-del.target\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nsystemctl disable --now ctrl-alt-del.target\nsystemctl mask --now ctrl-alt-del.target\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -69656,271 +69656,271 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -70135,11 +70135,11 @@ } ], "id": "disable_host_auth", - "title": "undefined title", + "title": "Disable Host-Based Authentication", "desc": "SSH's cryptographic host-based authentication is\nmore secure thanauthentication. However, it is\nnot recommended that hosts unilaterally trust one another, even\nwithin an organization.To disable host-based authentication, add or correct the\nfollowing line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*HostbasedAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"HostbasedAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"HostbasedAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*HostbasedAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"HostbasedAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"HostbasedAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -70293,55 +70293,55 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -70466,11 +70466,11 @@ } ], "id": "disable_prelink", - "title": "undefined title", + "title": "Disable Prelinking", "desc": "The prelinking feature changes binaries in an attempt to decrease their startup\ntime. In order to disable it, change or add the following line inside the file:Next, run the following command to return binaries to a normal, non-prelinked state:", "impact": 0.5, "descs": { - "fix": "# prelink not installed\nif test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then\n if grep -q ^PRELINKING /etc/sysconfig/prelink\n then\n sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink\n else\n printf '\\n' >> /etc/sysconfig/prelink\n printf '%s\\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink\n fi\n\n # Undo previous prelink changes to binaries if prelink is available.\n if test -x /usr/sbin/prelink; then\n /usr/sbin/prelink -ua\n fi\nfi" + "fix": "# prelink not installed\nif test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then\n if grep -q ^PRELINKING /etc/sysconfig/prelink\n then\n sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink\n else\n printf '\\n' >> /etc/sysconfig/prelink\n printf '%s\\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink\n fi\n\n # Undo previous prelink changes to binaries if prelink is available.\n if test -x /usr/sbin/prelink; then\n /usr/sbin/prelink -ua\n fi\nfi" } }, { @@ -70576,19 +70576,19 @@ { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -70623,7 +70623,7 @@ } ], "id": "disable_users_coredumps", - "title": "undefined title", + "title": "Disable Core Dumps for All Users", "desc": "To disable core dumps for all users, add the following line to, or to a file within thedirectory:", "impact": 0.5, "descs": { @@ -70697,97 +70697,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -70864,11 +70864,11 @@ } ], "id": "display_login_attempts", - "title": "undefined title", + "title": "Ensure PAM Displays Last Logon/Access Notification", "desc": "To configure the system to notify users of last logon/access\nusing, add or correct thesettings into read as follows:And make sure that theoption is not set.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/pam.d/login\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"session\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_lastlog.so)/\\\\1session\\\\2/\" \"/etc/pam.d/login\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*session\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+)[[:alnum:]]+(\\\\s+pam_lastlog.so)/\\\\1required\\\\2/\" \"/etc/pam.d/login\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s+showfailed(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s)showfailed=[^[:space:]]*/\\\\1showfailed${defaultValue}/\" \"/etc/pam.d/login\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" &&\n grep -E \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" | grep -q -E -v \"\\\\sshowfailed(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+required\\\\s+pam_lastlog.so[^\\\\n]*)/\\\\1 showfailed${defaultValue}/\" \"/etc/pam.d/login\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s+showfailed${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/login\" ; then\n echo \"session required pam_lastlog.so showfailed${defaultValue}\" >> \"/etc/pam.d/login\"\n fi\nelse\n echo \"/etc/pam.d/login doesn't exist\" >&2\nfi\n\n# remove 'silent' option\nsed -i --follow-symlinks -E -e 's/^([^#]+pam_lastlog\\.so[^#]*)\\ssilent/\\1/' '/etc/pam.d/login'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/pam.d/login\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"session\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_lastlog.so)/\\\\1session\\\\2/\" \"/etc/pam.d/login\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*session\\\\s+(?\"'!'\"required)[[:alnum:]]+\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+)[[:alnum:]]+(\\\\s+pam_lastlog.so)/\\\\1required\\\\2/\" \"/etc/pam.d/login\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s+showfailed(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/login\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s)showfailed=[^[:space:]]*/\\\\1showfailed${defaultValue}/\" \"/etc/pam.d/login\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" &&\n grep -E \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so\" < \"/etc/pam.d/login\" | grep -q -E -v \"\\\\sshowfailed(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*session\\\\s+required\\\\s+pam_lastlog.so[^\\\\n]*)/\\\\1 showfailed${defaultValue}/\" \"/etc/pam.d/login\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*session\\\\s+required\\\\s+pam_lastlog.so(\\\\s.+)?\\\\s+showfailed${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/login\" ; then\n echo \"session required pam_lastlog.so showfailed${defaultValue}\" >> \"/etc/pam.d/login\"\n fi\nelse\n echo \"/etc/pam.d/login doesn't exist\" >&2\nfi\n\n# remove 'silent' option\nsed -i --follow-symlinks -E -e 's/^([^#]+pam_lastlog\\.so[^#]*)\\ssilent/\\1/' '/etc/pam.d/login'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -70888,7 +70888,7 @@ } ], "id": "enable_dconf_user_profile", - "title": "undefined title", + "title": "Configure GNOME3 DConf User Profile", "desc": "By default, DConf provides a standard user profile. This profile contains a list\nof DConf configuration databases. The user profile and database always take the\nhighest priority. As such the DConf User profile should always exist and be\nconfigured correctly.To make sure that the user profile is configured correctly, theshould be set as follows:", "impact": 0.7, "descs": {} @@ -71055,19 +71055,19 @@ { "ref": "SR 3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -71288,7 +71288,7 @@ } ], "id": "encrypt_partitions", - "title": "undefined title", + "title": "Encrypt Partitions", "desc": "Ubuntu 20.04 natively supports partition encryption through the\nLinux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to\nencrypt a partition is during installation time.For manual installations, select thecheckbox during\npartition creation to encrypt the partition. When this\noption is selected the system will prompt for a passphrase to use in\ndecrypting the partition. The passphrase will subsequently need to be entered manually\nevery time the system boots.For automated/unattended installations, it is possible to use Kickstart by adding\ntheandoptions to the definition of each partition to be\nencrypted. For example, the following line would encrypt the root partition:Anyis stored in the Kickstart in plaintext, and the Kickstart\nmust then be protected accordingly.\nOmitting theoption from the partition definition will cause the\ninstaller to pause and interactively ask for the passphrase during installation.By default, theinstaller usescipher\nwith a minimumbit key size which should be compatible with FIPS enabled.Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on\nthe Ubuntu 20.04 Documentation web site:.", "impact": 0.7, "descs": {} @@ -71402,67 +71402,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -71515,11 +71515,11 @@ } ], "id": "ensure_logrotate_activated", - "title": "undefined title", + "title": "Ensure Logrotate Runs Periodically", "desc": "Theutility allows for the automatic rotation of\nlog files. The frequency of rotation is specified in,\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\nthe following line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nLOGROTATE_CONF_FILE=\"/etc/logrotate.conf\"\nCRON_DAILY_LOGROTATE_FILE=\"/etc/cron.daily/logrotate\"\n\n# daily rotation is configured\ngrep -q \"^daily$\" $LOGROTATE_CONF_FILE|| echo \"daily\" >> $LOGROTATE_CONF_FILE\n\n# remove any line configuring weekly, monthly or yearly rotation\nsed -i '/^\\s*\\(weekly\\|monthly\\|yearly\\).*$/d' $LOGROTATE_CONF_FILE\n\n# configure cron.daily if not already\nif ! grep -q \"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$\" $CRON_DAILY_LOGROTATE_FILE; then\n\techo \"#!/bin/sh\" > $CRON_DAILY_LOGROTATE_FILE\n\techo \"/usr/sbin/logrotate $LOGROTATE_CONF_FILE\" >> $CRON_DAILY_LOGROTATE_FILE\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nLOGROTATE_CONF_FILE=\"/etc/logrotate.conf\"\nCRON_DAILY_LOGROTATE_FILE=\"/etc/cron.daily/logrotate\"\n\n# daily rotation is configured\ngrep -q \"^daily$\" $LOGROTATE_CONF_FILE|| echo \"daily\" >> $LOGROTATE_CONF_FILE\n\n# remove any line configuring weekly, monthly or yearly rotation\nsed -i '/^\\s*\\(weekly\\|monthly\\|yearly\\).*$/d' $LOGROTATE_CONF_FILE\n\n# configure cron.daily if not already\nif ! grep -q \"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$\" $CRON_DAILY_LOGROTATE_FILE; then\n\techo \"#!/bin/sh\" > $CRON_DAILY_LOGROTATE_FILE\n\techo \"/usr/sbin/logrotate $LOGROTATE_CONF_FILE\" >> $CRON_DAILY_LOGROTATE_FILE\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -71552,11 +71552,11 @@ } ], "id": "ensure_rtc_utc_configuration", - "title": "undefined title", + "title": "Ensure real-time clock is set to UTC", "desc": "Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC).", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif timedatectl status | grep -i \"time zone\" | grep -iv 'UTC\\|GMT'; then\n timedatectl set-timezone UTC\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif timedatectl status | grep -i \"time zone\" | grep -iv 'UTC\\|GMT'; then\n timedatectl set-timezone UTC\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -71577,11 +71577,11 @@ } ], "id": "file_groupowner_at_allow", - "title": "undefined title", + "title": "Verify Group Who Owns /etc/at.allow file", "desc": "Ifexists, it must be group-owned by.\n\nTo properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -71602,7 +71602,7 @@ } ], "id": "file_groupowner_backup_etc_group", - "title": "undefined title", + "title": "Verify Group Who Owns Backup group File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -71627,7 +71627,7 @@ } ], "id": "file_groupowner_backup_etc_gshadow", - "title": "undefined title", + "title": "Verify Group Who Owns Backup gshadow File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -71652,7 +71652,7 @@ } ], "id": "file_groupowner_backup_etc_passwd", - "title": "undefined title", + "title": "Verify Group Who Owns Backup passwd File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -71677,7 +71677,7 @@ } ], "id": "file_groupowner_backup_etc_shadow", - "title": "undefined title", + "title": "Verify User Who Owns Backup shadow File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -71781,19 +71781,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -71966,11 +71966,11 @@ } ], "id": "file_groupowner_cron_allow", - "title": "undefined title", + "title": "Verify Group Who Owns /etc/cron.allow file", "desc": "Ifexists, it must be group-owned by.\n\nTo properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -72064,19 +72064,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -72249,11 +72249,11 @@ } ], "id": "file_groupowner_cron_d", - "title": "undefined title", + "title": "Verify Group Who Owns cron.d", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -72347,19 +72347,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -72532,11 +72532,11 @@ } ], "id": "file_groupowner_cron_daily", - "title": "undefined title", + "title": "Verify Group Who Owns cron.daily", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -72630,19 +72630,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -72815,11 +72815,11 @@ } ], "id": "file_groupowner_cron_hourly", - "title": "undefined title", + "title": "Verify Group Who Owns cron.hourly", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -72913,19 +72913,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -73098,11 +73098,11 @@ } ], "id": "file_groupowner_cron_monthly", - "title": "undefined title", + "title": "Verify Group Who Owns cron.monthly", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -73196,19 +73196,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -73381,11 +73381,11 @@ } ], "id": "file_groupowner_cron_weekly", - "title": "undefined title", + "title": "Verify Group Who Owns cron.weekly", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -73479,19 +73479,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -73664,11 +73664,11 @@ } ], "id": "file_groupowner_crontab", - "title": "undefined title", + "title": "Verify Group Who Owns Crontab", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -73768,19 +73768,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -74007,7 +74007,7 @@ } ], "id": "file_groupowner_etc_group", - "title": "undefined title", + "title": "Verify Group Who Owns group File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -74105,19 +74105,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -74338,7 +74338,7 @@ } ], "id": "file_groupowner_etc_gshadow", - "title": "undefined title", + "title": "Verify Group Who Owns gshadow File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -74363,7 +74363,7 @@ } ], "id": "file_groupowner_etc_issue", - "title": "undefined title", + "title": "Verify Group Ownership of System Login Banner", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -74388,7 +74388,7 @@ } ], "id": "file_groupowner_etc_motd", - "title": "undefined title", + "title": "Verify Group Ownership of Message of the Day Banner", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -74492,19 +74492,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -74731,7 +74731,7 @@ } ], "id": "file_groupowner_etc_passwd", - "title": "undefined title", + "title": "Verify Group Who Owns passwd File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -74835,19 +74835,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -75074,7 +75074,7 @@ } ], "id": "file_groupowner_etc_shadow", - "title": "undefined title", + "title": "Verify Group Who Owns shadow File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -75172,19 +75172,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -75417,11 +75417,11 @@ } ], "id": "file_groupowner_sshd_config", - "title": "undefined title", + "title": "Verify Group Who Owns SSH Server config file", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchgrp 0 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -75454,7 +75454,7 @@ } ], "id": "file_groupowner_var_log", - "title": "undefined title", + "title": "Verify Group Who Owns /var/log Directory", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -75485,7 +75485,7 @@ } ], "id": "file_groupowner_var_log_messages", - "title": "undefined title", + "title": "Verify Group Who Owns /var/log/messages File", "desc": "To properly set the group owner of, run the command:", "impact": 0.5, "descs": { @@ -75533,7 +75533,7 @@ } ], "id": "file_groupownership_system_commands_dirs", - "title": "undefined title", + "title": "Verify that system commands files are group owned by root", "desc": "System commands files are stored in the following directories by default:All files in these directories should be owned by thegroup.\nIf the directory, or any file in these directories, is found to be owned\nby a group other than root correct its ownership with the following command:", "impact": 0.5, "descs": {} @@ -75556,11 +75556,11 @@ } ], "id": "file_owner_at_allow", - "title": "undefined title", + "title": "Verify User Who Owns /etc/at.allow file", "desc": "Ifexists, it must be owned by.\n\nTo properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -75581,7 +75581,7 @@ } ], "id": "file_owner_backup_etc_group", - "title": "undefined title", + "title": "Verify User Who Owns Backup group File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -75606,7 +75606,7 @@ } ], "id": "file_owner_backup_etc_gshadow", - "title": "undefined title", + "title": "Verify User Who Owns Backup gshadow File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -75631,7 +75631,7 @@ } ], "id": "file_owner_backup_etc_passwd", - "title": "undefined title", + "title": "Verify User Who Owns Backup passwd File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -75656,7 +75656,7 @@ } ], "id": "file_owner_backup_etc_shadow", - "title": "undefined title", + "title": "Verify Group Who Owns Backup shadow File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -75760,19 +75760,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -75945,11 +75945,11 @@ } ], "id": "file_owner_cron_allow", - "title": "undefined title", + "title": "Verify User Who Owns /etc/cron.allow file", "desc": "Ifexists, it must be owned by.\n\nTo properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -76043,19 +76043,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -76228,11 +76228,11 @@ } ], "id": "file_owner_cron_d", - "title": "undefined title", + "title": "Verify Owner on cron.d", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -76326,19 +76326,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -76511,11 +76511,11 @@ } ], "id": "file_owner_cron_daily", - "title": "undefined title", + "title": "Verify Owner on cron.daily", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -76609,19 +76609,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -76794,11 +76794,11 @@ } ], "id": "file_owner_cron_hourly", - "title": "undefined title", + "title": "Verify Owner on cron.hourly", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -76892,19 +76892,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -77077,11 +77077,11 @@ } ], "id": "file_owner_cron_monthly", - "title": "undefined title", + "title": "Verify Owner on cron.monthly", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -77175,19 +77175,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -77360,11 +77360,11 @@ } ], "id": "file_owner_cron_weekly", - "title": "undefined title", + "title": "Verify Owner on cron.weekly", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -77458,19 +77458,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -77643,11 +77643,11 @@ } ], "id": "file_owner_crontab", - "title": "undefined title", + "title": "Verify Owner on crontab", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -77747,19 +77747,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -77986,7 +77986,7 @@ } ], "id": "file_owner_etc_group", - "title": "undefined title", + "title": "Verify User Who Owns group File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -78090,19 +78090,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -78323,7 +78323,7 @@ } ], "id": "file_owner_etc_gshadow", - "title": "undefined title", + "title": "Verify User Who Owns gshadow File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -78348,7 +78348,7 @@ } ], "id": "file_owner_etc_issue", - "title": "undefined title", + "title": "Verify ownership of System Login Banner", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -78373,7 +78373,7 @@ } ], "id": "file_owner_etc_motd", - "title": "undefined title", + "title": "Verify ownership of Message of the Day Banner", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -78477,19 +78477,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -78716,7 +78716,7 @@ } ], "id": "file_owner_etc_passwd", - "title": "undefined title", + "title": "Verify User Who Owns passwd File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -78826,19 +78826,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -79065,7 +79065,7 @@ } ], "id": "file_owner_etc_shadow", - "title": "undefined title", + "title": "Verify User Who Owns shadow File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -79247,19 +79247,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -79432,11 +79432,11 @@ } ], "id": "file_owner_grub2_cfg", - "title": "undefined title", + "title": "Verify /boot/grub/grub.cfg User Ownership", "desc": "The fileshould\nbe owned by theuser to prevent destruction\nor modification of the file.\n\nTo properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /boot/grub/grub.cfg\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /boot/grub/grub.cfg\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -79530,19 +79530,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -79775,11 +79775,11 @@ } ], "id": "file_owner_sshd_config", - "title": "undefined title", + "title": "Verify Owner on SSH Server config file", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchown 0 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -79812,7 +79812,7 @@ } ], "id": "file_owner_var_log", - "title": "undefined title", + "title": "Verify User Who Owns /var/log Directory", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -79843,7 +79843,7 @@ } ], "id": "file_owner_var_log_messages", - "title": "undefined title", + "title": "Verify User Who Owns /var/log/messages File", "desc": "To properly set the owner of, run the command:", "impact": 0.5, "descs": { @@ -79940,19 +79940,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -80197,7 +80197,7 @@ } ], "id": "file_ownership_binary_dirs", - "title": "undefined title", + "title": "Verify that System Executables Have Root Ownership", "desc": "System executables are stored in the following directories by default:All files in these directories should be owned by theuser.\nIf any filein these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:", "impact": 0.5, "descs": {} @@ -80292,19 +80292,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -80549,7 +80549,7 @@ } ], "id": "file_ownership_library_dirs", - "title": "undefined title", + "title": "Verify that Shared Library Files Have Root Ownership", "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directory, or any file in these\ndirectories, is found to be owned by a user other than root correct its\nownership with the following command:", "impact": 0.5, "descs": {} @@ -80771,115 +80771,115 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -81214,11 +81214,11 @@ } ], "id": "file_ownership_var_log_audit", - "title": "undefined title", + "title": "System Audit Logs Must Be Owned By Root", "desc": "All audit logs must be owned by root user and group. By default, the path for audit log is.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\n GROUP=$(awk -F \"=\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\n if ! [ \"${GROUP}\" == 'root' ] ; then\n chown root.${GROUP} /var/log/audit\n chown root.${GROUP} /var/log/audit/audit.log*\n else\n chown root.root /var/log/audit\n chown root.root /var/log/audit/audit.log*\n fi\nelse\n chown root.root /var/log/audit\n chown root.root /var/log/audit/audit.log*\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; then\n\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\n GROUP=$(awk -F \"=\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\n if ! [ \"${GROUP}\" == 'root' ] ; then\n chown root.${GROUP} /var/log/audit\n chown root.${GROUP} /var/log/audit/audit.log*\n else\n chown root.root /var/log/audit\n chown root.root /var/log/audit/audit.log*\n fi\nelse\n chown root.root /var/log/audit\n chown root.root /var/log/audit/audit.log*\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -81239,11 +81239,11 @@ } ], "id": "file_permissions_at_allow", - "title": "undefined title", + "title": "Verify Permissions on /etc/at.allow file", "desc": "Ifexists, it must have permissionsor more restrictive.\n\n\nTo properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0640 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0640 /etc/at.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -81264,7 +81264,7 @@ } ], "id": "file_permissions_backup_etc_group", - "title": "undefined title", + "title": "Verify Permissions on Backup group File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -81289,7 +81289,7 @@ } ], "id": "file_permissions_backup_etc_gshadow", - "title": "undefined title", + "title": "Verify Permissions on Backup gshadow File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -81314,7 +81314,7 @@ } ], "id": "file_permissions_backup_etc_passwd", - "title": "undefined title", + "title": "Verify Permissions on Backup passwd File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -81339,7 +81339,7 @@ } ], "id": "file_permissions_backup_etc_shadow", - "title": "undefined title", + "title": "Verify Permissions on Backup shadow File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -81436,19 +81436,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -81693,7 +81693,7 @@ } ], "id": "file_permissions_binary_dirs", - "title": "undefined title", + "title": "Verify that System Executables Have Restrictive Permissions", "desc": "System executables are stored in the following directories by default:All files in these directories should not be group-writable or world-writable.\nIf any filein these directories is found\nto be group-writable or world-writable, correct its permission with the\nfollowing command:", "impact": 0.5, "descs": {} @@ -81716,11 +81716,11 @@ } ], "id": "file_permissions_cron_allow", - "title": "undefined title", + "title": "Verify Permissions on /etc/cron.allow file", "desc": "Ifexists, it must have permissionsor more restrictive.\n\n\nTo properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0640 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0640 /etc/cron.allow\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -81814,19 +81814,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -81999,11 +81999,11 @@ } ], "id": "file_permissions_cron_d", - "title": "undefined title", + "title": "Verify Permissions on cron.d", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.d/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -82097,19 +82097,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -82282,11 +82282,11 @@ } ], "id": "file_permissions_cron_daily", - "title": "undefined title", + "title": "Verify Permissions on cron.daily", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.daily/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -82380,19 +82380,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -82565,11 +82565,11 @@ } ], "id": "file_permissions_cron_hourly", - "title": "undefined title", + "title": "Verify Permissions on cron.hourly", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.hourly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -82663,19 +82663,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -82848,11 +82848,11 @@ } ], "id": "file_permissions_cron_monthly", - "title": "undefined title", + "title": "Verify Permissions on cron.monthly", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.monthly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -82946,19 +82946,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -83131,11 +83131,11 @@ } ], "id": "file_permissions_cron_weekly", - "title": "undefined title", + "title": "Verify Permissions on cron.weekly", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0700 /etc/cron.weekly/\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -83229,19 +83229,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -83414,11 +83414,11 @@ } ], "id": "file_permissions_crontab", - "title": "undefined title", + "title": "Verify Permissions on crontab", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /etc/crontab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -83524,19 +83524,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -83763,7 +83763,7 @@ } ], "id": "file_permissions_etc_group", - "title": "undefined title", + "title": "Verify Permissions on group File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -83867,19 +83867,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -84100,7 +84100,7 @@ } ], "id": "file_permissions_etc_gshadow", - "title": "undefined title", + "title": "Verify Permissions on gshadow File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -84125,7 +84125,7 @@ } ], "id": "file_permissions_etc_issue", - "title": "undefined title", + "title": "Verify permissions on System Login Banner", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -84150,7 +84150,7 @@ } ], "id": "file_permissions_etc_motd", - "title": "undefined title", + "title": "Verify permissions on Message of the Day Banner", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -84260,19 +84260,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -84499,7 +84499,7 @@ } ], "id": "file_permissions_etc_passwd", - "title": "undefined title", + "title": "Verify Permissions on passwd File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -84609,19 +84609,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -84848,7 +84848,7 @@ } ], "id": "file_permissions_etc_shadow", - "title": "undefined title", + "title": "Verify Permissions on shadow File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -85024,19 +85024,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -85203,11 +85203,11 @@ } ], "id": "file_permissions_grub2_cfg", - "title": "undefined title", + "title": "Verify /boot/grub/grub.cfg Permissions", "desc": "File permissions forshould be set to 600.\n\nTo properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /boot/grub/grub.cfg\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /boot/grub/grub.cfg\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -85239,7 +85239,7 @@ } ], "id": "file_permissions_home_directories", - "title": "undefined title", + "title": "All Interactive User Home Directories Must Have mode 0750 Or Less Permissive", "desc": "Change the mode of interactive users home directories to. To\nchange the mode of interactive users home directory, use the\nfollowing command:", "impact": 0.5, "descs": {} @@ -85334,19 +85334,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -85573,7 +85573,7 @@ } ], "id": "file_permissions_home_dirs", - "title": "undefined title", + "title": "Ensure that User Home Directories are not Group-Writable or World-Readable", "desc": "For each human user of the system, view the\npermissions of the user's home directory:Ensure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:", "impact": 0.5, "descs": {} @@ -85669,19 +85669,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -85926,7 +85926,7 @@ } ], "id": "file_permissions_library_dirs", - "title": "undefined title", + "title": "Verify that Shared Library Files Have Restrictive Permissions", "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All files in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:", "impact": 0.5, "descs": { @@ -86024,19 +86024,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -86269,11 +86269,11 @@ } ], "id": "file_permissions_sshd_config", - "title": "undefined title", + "title": "Verify Permissions on SSH Server config file", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nchmod 0600 /etc/ssh/sshd_config\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -86391,19 +86391,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -86636,11 +86636,11 @@ } ], "id": "file_permissions_sshd_private_key", - "title": "undefined title", + "title": "Verify Permissions on SSH Server Private *_key Key Files", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nreadarray -t files < <(find /etc/ssh/)\nfor file in \"${files[@]}\"; do\n if basename $file | grep -q '^.*_key$'; then\n chmod 0600 $file\n fi \ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nreadarray -t files < <(find /etc/ssh/)\nfor file in \"${files[@]}\"; do\n if basename $file | grep -q '^.*_key$'; then\n chmod 0600 $file\n fi \ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -86752,19 +86752,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -86997,11 +86997,11 @@ } ], "id": "file_permissions_sshd_pub_key", - "title": "undefined title", + "title": "Verify Permissions on SSH Server Public *.pub Key Files", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nreadarray -t files < <(find /etc/ssh/)\nfor file in \"${files[@]}\"; do\n if basename $file | grep -q '^.*.pub$'; then\n chmod 0644 $file\n fi \ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nreadarray -t files < <(find /etc/ssh/)\nfor file in \"${files[@]}\"; do\n if basename $file | grep -q '^.*.pub$'; then\n chmod 0644 $file\n fi \ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -87021,7 +87021,7 @@ } ], "id": "file_permissions_systemmap", - "title": "undefined title", + "title": "Verify that local System.map file (if exists) is readable only by root", "desc": "Files containing sensitive informations should be protected by restrictive\n permissions. Most of the time, there is no need that these files need to be read by any non-root user\n\nTo properly set the permissions of, run the command:", "impact": 0.5, "descs": {} @@ -87123,19 +87123,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -87356,7 +87356,7 @@ } ], "id": "file_permissions_unauthorized_world_writable", - "title": "undefined title", + "title": "Ensure No World-Writable Files Exist", "desc": "It is generally a good idea to remove global (other) write\naccess to a file when it is discovered. However, check with\ndocumentation for specific applications before making changes.\nAlso, monitor for recurring world-writable files, as these may be\nsymptoms of a misconfigured application or user account. Finally,\nthis applies to real files and not virtual files that are a part of\npseudo file systems such asor.", "impact": 0.5, "descs": { @@ -87393,7 +87393,7 @@ } ], "id": "file_permissions_var_log", - "title": "undefined title", + "title": "Verify Permissions on /var/log Directory", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -87424,7 +87424,7 @@ } ], "id": "file_permissions_var_log_messages", - "title": "undefined title", + "title": "Verify Permissions on /var/log/messages File", "desc": "To properly set the permissions of, run the command:", "impact": 0.5, "descs": { @@ -87441,7 +87441,7 @@ }, "refs": [], "id": "ftp_configure_firewall", - "title": "undefined title", + "title": "Configure Firewalls to Protect the FTP Server", "desc": "By default,blocks access to the ports used by the web server.\n\nTo configureto allow port 21 traffic, one must editand(if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:Edit the file. Ensure that the space-separated list of modules contains\nthe FTP connection tracking module:", "impact": 0.5, "descs": {} @@ -87456,7 +87456,7 @@ }, "refs": [], "id": "ftp_limit_users", - "title": "undefined title", + "title": "Limit Users Allowed FTP Access if Necessary", "desc": "If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:Edit the file. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:If anonymous access is also required, add the anonymous usernames toas well.", "impact": 0.5, "descs": {} @@ -87551,145 +87551,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -87856,7 +87856,7 @@ } ], "id": "gid_passwd_group_same", - "title": "undefined title", + "title": "All GIDs referenced in /etc/passwd must be defined in /etc/group", "desc": "Add a group to the system for each GID referenced without a corresponding group.", "impact": 0.3, "descs": {} @@ -87872,11 +87872,11 @@ }, "refs": [], "id": "gnome_gdm_disable_xdmcp", - "title": "undefined title", + "title": "Disable XDMCP in GDM", "desc": "XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g..\n\nTo disable XDMCP support in Gnome, settounder theconfiguration section in. For example:", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set\n# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there\nif grep -qzosP '[[:space:]]*\\[xdmcp]([^\\n\\[]*\\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then\n \n sed -i 's/Enable[^(\\n)]*/Enable=false/' '/etc/gdm/custom.conf'\nelif grep -qs '[[:space:]]*\\[xdmcp]' '/etc/gdm/custom.conf'; then\n sed -i '/[[:space:]]*\\[xdmcp]/a Enable=false' '/etc/gdm/custom.conf'\nelse\n if test -d \"/etc/gdm\"; then\n printf '%s\\n' '[xdmcp]' 'Enable=false' >> '/etc/gdm/custom.conf'\n else\n echo \"Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability.\" >&2\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set\n# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there\nif grep -qzosP '[[:space:]]*\\[xdmcp]([^\\n\\[]*\\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then\n \n sed -i 's/Enable[^(\\n)]*/Enable=false/' '/etc/gdm/custom.conf'\nelif grep -qs '[[:space:]]*\\[xdmcp]' '/etc/gdm/custom.conf'; then\n sed -i '/[[:space:]]*\\[xdmcp]/a Enable=false' '/etc/gdm/custom.conf'\nelse\n if test -d \"/etc/gdm\"; then\n printf '%s\\n' '[xdmcp]' 'Enable=false' >> '/etc/gdm/custom.conf'\n else\n echo \"Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability.\" >&2\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -88186,181 +88186,181 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -88599,11 +88599,11 @@ } ], "id": "grub2_audit_argument", - "title": "undefined title", + "title": "Enable Auditing for Processes Which Start Prior to the Audit Daemon", "desc": "To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argumentto the default\nGRUB 2 command line for the Linux operating system in, in the manner below:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an audit= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)audit=[^[:space:]]*\\(.*\"\\)/\\1 audit=1 \\2/' '/etc/default/grub'\nelse\n\t# no audit=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 audit=1\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an audit= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)audit=[^[:space:]]*\\(.*\"\\)/\\1 audit=1 \\2/' '/etc/default/grub'\nelse\n\t# no audit=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 audit=1\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -88648,11 +88648,11 @@ } ], "id": "grub2_audit_backlog_limit_argument", - "title": "undefined title", + "title": "Extend Audit Backlog Limit for the Audit Daemon", "desc": "To improve the kernel capacity to queue all log events, even those which occurred\nprior to the audit daemon, add the argumentto the default\nGRUB 2 command line for the Linux operating system in, in the manner below:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an audit_backlog_limit= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)audit_backlog_limit=[^[:space:]]*\\(.*\"\\)/\\1 audit_backlog_limit=8192 \\2/' '/etc/default/grub'\nelse\n\t# no audit_backlog_limit=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 audit_backlog_limit=8192\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an audit_backlog_limit= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)audit_backlog_limit=[^[:space:]]*\\(.*\"\\)/\\1 audit_backlog_limit=8192 \\2/' '/etc/default/grub'\nelse\n\t# no audit_backlog_limit=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 audit_backlog_limit=8192\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -88673,11 +88673,11 @@ } ], "id": "grub2_enable_iommu_force", - "title": "undefined title", + "title": "IOMMU configuration directive", "desc": "On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some\n of the system critical units such as the memory.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*iommu=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an iommu= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)iommu=[^[:space:]]*\\(.*\"\\)/\\1 iommu=force \\2/' '/etc/default/grub'\nelse\n\t# no iommu=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 iommu=force\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*iommu=.*\"' '/etc/default/grub' ; then\n\t# modify the GRUB command-line if an iommu= arg already exists\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)iommu=[^[:space:]]*\\(.*\"\\)/\\1 iommu=force \\2/' '/etc/default/grub'\nelse\n\t# no iommu=arg is present, append it\n\tsed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)\"/\\1 iommu=force\"/' '/etc/default/grub'\nfi\n\n\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -88884,253 +88884,253 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -89279,7 +89279,7 @@ } ], "id": "grub2_password", - "title": "undefined title", + "title": "Set Boot Loader Password in grub2", "desc": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.Since plaintext passwords are a security risk, generate a hash for the password\nby running the following command:When prompted, enter the password that was selected.Using the hash from the output, modify thefile with the following content:NOTE: the bootloader superuser account and password MUST differ from the\nroot account and password.Once the superuser password has been added,\nupdate thefile by running:", "impact": 0.7, "descs": {} @@ -89464,253 +89464,253 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -89805,7 +89805,7 @@ } ], "id": "grub2_uefi_password", - "title": "undefined title", + "title": "Set the UEFI Boot Loader Password", "desc": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.Since plaintext passwords are a security risk, generate a hash for the password\nby running the following command:When prompted, enter the password that was selected.Using the hash from the output, modify thefile with the following content:NOTE: the bootloader superuser account and password MUST differ from the\nroot account and password.\n\nOnce the superuser password has been added,\nupdate thefile by running:", "impact": 0.7, "descs": {} @@ -89900,11 +89900,11 @@ } ], "id": "harden_ssh_client_crypto_policy", - "title": "undefined title", + "title": "Harden SSH client Crypto Policy", "desc": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\nTo override the system wide crypto policy for Openssh client, place a file in theso that it is loaded before the. In this case it is file namedcontaining parameters which need to be changed with respect to the crypto policy.\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.", "impact": 0.5, "descs": { - "fix": "#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy\nfile=\"/etc/ssh/ssh_config.d/02-ospp.conf\"\necho -e \"Match final all\\n\\\nRekeyLimit 512M 1h\\n\\\nGSSAPIAuthentication no\\n\\\nCiphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\\n\\\nPubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\\n\\\nMACs hmac-sha2-512,hmac-sha2-256\\n\\\nKexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\\n\" > \"$file\"" + "fix": "#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy\nfile=\"/etc/ssh/ssh_config.d/02-ospp.conf\"\necho -e \"Match final all\\n\\\nRekeyLimit 512M 1h\\n\\\nGSSAPIAuthentication no\\n\\\nCiphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\\n\\\nPubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\\n\\\nMACs hmac-sha2-512,hmac-sha2-256\\n\\\nKexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\\n\" > \"$file\"" } }, { @@ -89979,11 +89979,11 @@ } ], "id": "install_smartcard_packages", - "title": "undefined title", + "title": "Install Smart Card Packages For Multifactor Authentication", "desc": "Configure the operating system to implement multifactor authentication by\ninstalling the required package with the following command:\n\nThepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"libpam-pkcs11\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"libpam-pkcs11\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -90057,7 +90057,7 @@ } ], "id": "installed_OS_is_FIPS_certified", - "title": "undefined title", + "title": "The Installed Operating System Is FIPS 140-2 Certified", "desc": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.", "impact": 0.7, "descs": {} @@ -90072,7 +90072,7 @@ }, "refs": [], "id": "iptables_sshd_disabled", - "title": "undefined title", + "title": "Remove SSH Server iptables Firewall exception (Unusual)", "desc": "By default, inbound connections to SSH's port are allowed. If the SSH\nserver is not being used, this exception should be removed from the\nfirewall configuration.Edit the filesand(if IPv6 is in use). In each file, locate\nand delete the line:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.", "impact": 0.5, "descs": {} @@ -90118,7 +90118,7 @@ } ], "id": "is_fips_mode_enabled", - "title": "undefined title", + "title": "Verify '/proc/sys/crypto/fips_enabled' exists", "desc": "On a system where FIPS 140-2 mode is enabled,must exist.\nTo verify FIPS mode, run the following command:", "impact": 0.7, "descs": {} @@ -90153,11 +90153,11 @@ } ], "id": "kerberos_disable_no_keytab", - "title": "undefined title", + "title": "Disable Kerberos by removing host keytab", "desc": "Kerberos is not an approved key distribution method for\nCommon Criteria. To prevent using Kerberos by system daemons,\nremove the Kerberos keytab files, especially.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nrm -f /etc/*.keytab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nrm -f /etc/*.keytab\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -90170,7 +90170,7 @@ }, "refs": [], "id": "kernel_disable_entropy_contribution_for_solid_state_drives", - "title": "undefined title", + "title": "Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool", "desc": "For each solid-state drive on the system, run:", "impact": 0.5, "descs": {} @@ -90272,265 +90272,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -90613,11 +90613,11 @@ } ], "id": "kernel_module_cramfs_disabled", - "title": "undefined title", + "title": "Disable Mounting of cramfs", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is a compressed read-only\nLinux filesystem embedded in small footprint systems. Aimage can be used without having to first\ndecompress the image.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install cramfs\" /etc/modprobe.d/cramfs.conf ; then\n\t\n\tsed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/cramfs.conf\n\techo \"install cramfs /bin/true\" >> /etc/modprobe.d/cramfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install cramfs\" /etc/modprobe.d/cramfs.conf ; then\n\t\n\tsed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/cramfs.conf\n\techo \"install cramfs /bin/true\" >> /etc/modprobe.d/cramfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -90723,265 +90723,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -91070,11 +91070,11 @@ } ], "id": "kernel_module_dccp_disabled", - "title": "undefined title", + "title": "Disable DCCP Support", "desc": "The Datagram Congestion Control Protocol (DCCP) is a\nrelatively new transport layer protocol, designed to support\nstreaming media and telephony.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install dccp\" /etc/modprobe.d/dccp.conf ; then\n\t\n\tsed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/dccp.conf\n\techo \"install dccp /bin/true\" >> /etc/modprobe.d/dccp.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install dccp\" /etc/modprobe.d/dccp.conf ; then\n\t\n\tsed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/dccp.conf\n\techo \"install dccp /bin/true\" >> /etc/modprobe.d/dccp.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -91168,265 +91168,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -91503,11 +91503,11 @@ } ], "id": "kernel_module_freevxfs_disabled", - "title": "undefined title", + "title": "Disable Mounting of freevxfs", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install freevxfs\" /etc/modprobe.d/freevxfs.conf ; then\n\t\n\tsed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/freevxfs.conf\n\techo \"install freevxfs /bin/true\" >> /etc/modprobe.d/freevxfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install freevxfs\" /etc/modprobe.d/freevxfs.conf ; then\n\t\n\tsed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/freevxfs.conf\n\techo \"install freevxfs /bin/true\" >> /etc/modprobe.d/freevxfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -91601,265 +91601,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -91936,11 +91936,11 @@ } ], "id": "kernel_module_hfs_disabled", - "title": "undefined title", + "title": "Disable Mounting of hfs", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install hfs\" /etc/modprobe.d/hfs.conf ; then\n\t\n\tsed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/hfs.conf\n\techo \"install hfs /bin/true\" >> /etc/modprobe.d/hfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install hfs\" /etc/modprobe.d/hfs.conf ; then\n\t\n\tsed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/hfs.conf\n\techo \"install hfs /bin/true\" >> /etc/modprobe.d/hfs.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -92034,265 +92034,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -92369,11 +92369,11 @@ } ], "id": "kernel_module_hfsplus_disabled", - "title": "undefined title", + "title": "Disable Mounting of hfsplus", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install hfsplus\" /etc/modprobe.d/hfsplus.conf ; then\n\t\n\tsed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/hfsplus.conf\n\techo \"install hfsplus /bin/true\" >> /etc/modprobe.d/hfsplus.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install hfsplus\" /etc/modprobe.d/hfsplus.conf ; then\n\t\n\tsed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/hfsplus.conf\n\techo \"install hfsplus /bin/true\" >> /etc/modprobe.d/hfsplus.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -92455,265 +92455,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -92790,11 +92790,11 @@ } ], "id": "kernel_module_ipv6_option_disabled", - "title": "undefined title", + "title": "Disable IPv6 Networking Support Automatic Loading", "desc": "To prevent the IPv6 kernel module () from binding to the\nIPv6 networking stack, add the following line to(or another file in):This permits the IPv6 module to be loaded (and thus satisfy other modules that\ndepend on it), while disabling support for the IPv6 protocol.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack\necho \"options ipv6 disable=1\" > /etc/modprobe.d/ipv6.conf\n\n# Since according to: https://access.redhat.com/solutions/72733\n# \"ipv6 disable=1\" options doesn't always disable the IPv6 networking stack from\n# loading, instruct also sysctl configuration to disable IPv6 according to:\n# https://access.redhat.com/solutions/8709#rhel6disable\n\ndeclare -a IPV6_SETTINGS=(\"net.ipv6.conf.all.disable_ipv6\" \"net.ipv6.conf.default.disable_ipv6\")\n\nfor setting in \"${IPV6_SETTINGS[@]}\"\ndo\n\t# Set runtime =1 for setting\n\t/sbin/sysctl -q -n -w \"$setting=1\"\n\n\t# If setting is present in /etc/sysctl.conf, change value to \"1\"\n\t# else, add \"$setting = 1\" to /etc/sysctl.conf\n\tif grep -q ^\"$setting\" /etc/sysctl.conf ; then\n\t\tsed -i \"s/^$setting.*/$setting = 1/g\" /etc/sysctl.conf\n\telse\n\t\techo \"\" >> /etc/sysctl.conf\n\t\techo \"# Set $setting = 1 per security requirements\" >> /etc/sysctl.conf\n\t\techo \"$setting = 1\" >> /etc/sysctl.conf\n\tfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack\necho \"options ipv6 disable=1\" > /etc/modprobe.d/ipv6.conf\n\n# Since according to: https://access.redhat.com/solutions/72733\n# \"ipv6 disable=1\" options doesn't always disable the IPv6 networking stack from\n# loading, instruct also sysctl configuration to disable IPv6 according to:\n# https://access.redhat.com/solutions/8709#rhel6disable\n\ndeclare -a IPV6_SETTINGS=(\"net.ipv6.conf.all.disable_ipv6\" \"net.ipv6.conf.default.disable_ipv6\")\n\nfor setting in \"${IPV6_SETTINGS[@]}\"\ndo\n\t# Set runtime =1 for setting\n\t/sbin/sysctl -q -n -w \"$setting=1\"\n\n\t# If setting is present in /etc/sysctl.conf, change value to \"1\"\n\t# else, add \"$setting = 1\" to /etc/sysctl.conf\n\tif grep -q ^\"$setting\" /etc/sysctl.conf ; then\n\t\tsed -i \"s/^$setting.*/$setting = 1/g\" /etc/sysctl.conf\n\telse\n\t\techo \"\" >> /etc/sysctl.conf\n\t\techo \"# Set $setting = 1 per security requirements\" >> /etc/sysctl.conf\n\t\techo \"$setting = 1\" >> /etc/sysctl.conf\n\tfi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -92888,265 +92888,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -93223,11 +93223,11 @@ } ], "id": "kernel_module_jffs2_disabled", - "title": "undefined title", + "title": "Disable Mounting of jffs2", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install jffs2\" /etc/modprobe.d/jffs2.conf ; then\n\t\n\tsed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/jffs2.conf\n\techo \"install jffs2 /bin/true\" >> /etc/modprobe.d/jffs2.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install jffs2\" /etc/modprobe.d/jffs2.conf ; then\n\t\n\tsed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/jffs2.conf\n\techo \"install jffs2 /bin/true\" >> /etc/modprobe.d/jffs2.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -93315,265 +93315,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -93650,11 +93650,11 @@ } ], "id": "kernel_module_rds_disabled", - "title": "undefined title", + "title": "Disable RDS Support", "desc": "The Reliable Datagram Sockets (RDS) protocol is a transport\nlayer protocol designed to provide reliable high-bandwidth,\nlow-latency communications between nodes in a cluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install rds\" /etc/modprobe.d/rds.conf ; then\n\t\n\tsed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/rds.conf\n\techo \"install rds /bin/true\" >> /etc/modprobe.d/rds.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install rds\" /etc/modprobe.d/rds.conf ; then\n\t\n\tsed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/rds.conf\n\techo \"install rds /bin/true\" >> /etc/modprobe.d/rds.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -93760,265 +93760,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -94101,11 +94101,11 @@ } ], "id": "kernel_module_sctp_disabled", - "title": "undefined title", + "title": "Disable SCTP Support", "desc": "The Stream Control Transmission Protocol (SCTP) is a\ntransport layer protocol, designed to support the idea of\nmessage-oriented communication, with several streams of messages\nwithin one connection.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install sctp\" /etc/modprobe.d/sctp.conf ; then\n\t\n\tsed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/sctp.conf\n\techo \"install sctp /bin/true\" >> /etc/modprobe.d/sctp.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install sctp\" /etc/modprobe.d/sctp.conf ; then\n\t\n\tsed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/sctp.conf\n\techo \"install sctp /bin/true\" >> /etc/modprobe.d/sctp.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -94199,265 +94199,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -94546,11 +94546,11 @@ } ], "id": "kernel_module_tipc_disabled", - "title": "undefined title", + "title": "Disable TIPC Support", "desc": "The Transparent Inter-Process Communication (TIPC) protocol\nis designed to provide communications between nodes in a\ncluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install tipc\" /etc/modprobe.d/tipc.conf ; then\n\t\n\tsed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/tipc.conf\n\techo \"install tipc /bin/true\" >> /etc/modprobe.d/tipc.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install tipc\" /etc/modprobe.d/tipc.conf ; then\n\t\n\tsed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/tipc.conf\n\techo \"install tipc /bin/true\" >> /etc/modprobe.d/tipc.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -94644,265 +94644,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -94979,11 +94979,11 @@ } ], "id": "kernel_module_udf_disabled", - "title": "undefined title", + "title": "Disable Mounting of udf", "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is the universal disk format\nused to implement the ISO/IEC 13346 and ECMA-167 specifications.\nThis is an open vendor filesystem type for data storage on a broad\nrange of media. This filesystem type is neccessary to support\nwriting DVDs and newer optical disc formats.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install udf\" /etc/modprobe.d/udf.conf ; then\n\t\n\tsed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/udf.conf\n\techo \"install udf /bin/true\" >> /etc/modprobe.d/udf.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install udf\" /etc/modprobe.d/udf.conf ; then\n\t\n\tsed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/udf.conf\n\techo \"install udf /bin/true\" >> /etc/modprobe.d/udf.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -95155,157 +95155,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -95466,11 +95466,11 @@ } ], "id": "kernel_module_usb-storage_disabled", - "title": "undefined title", + "title": "Disable Modprobe Loading of USB Storage Driver", "desc": "To prevent USB storage devices from being used, configure the kernel module loading system\nto prevent automatic loading of the USB storage driver.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to a file in the directory:This will prevent theprogram from loading themodule, but will not prevent an administrator (or another program) from using theprogram to load the module manually.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install usb-storage\" /etc/modprobe.d/usb-storage.conf ; then\n\t\n\tsed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/usb-storage.conf\n\techo \"install usb-storage /bin/true\" >> /etc/modprobe.d/usb-storage.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif LC_ALL=C grep -q -m 1 \"^install usb-storage\" /etc/modprobe.d/usb-storage.conf ; then\n\t\n\tsed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf\nelse\n\techo -e \"\\n# Disable per security requirements\" >> /etc/modprobe.d/usb-storage.conf\n\techo \"install usb-storage /bin/true\" >> /etc/modprobe.d/usb-storage.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -95588,265 +95588,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -96043,11 +96043,11 @@ } ], "id": "mount_option_dev_shm_nodev", - "title": "undefined title", + "title": "Add nodev Option to /dev/shm", "desc": "Themount option can be used to prevent creation of device\nfiles in. Legitimate character and block devices should\nnot exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"nodev\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,nodev|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"nodev\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,nodev|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -96165,265 +96165,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -96620,11 +96620,11 @@ } ], "id": "mount_option_dev_shm_noexec", - "title": "undefined title", + "title": "Add noexec Option to /dev/shm", "desc": "Themount option can be used to prevent binaries\nfrom being executed out of.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as.\nAdd theoption to the fourth column offor the line which controls mounting of.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"noexec\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,noexec|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"noexec\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,noexec|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -96742,265 +96742,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -97197,11 +97197,11 @@ } ], "id": "mount_option_dev_shm_nosuid", - "title": "undefined title", + "title": "Add nosuid Option to /dev/shm", "desc": "Themount option can be used to prevent execution\nof setuid programs in. The SUID and SGID permissions should not\nbe required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"nosuid\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,nosuid|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nfunction perform_remediation {\n \n\n mount_point_match_regexp=\"$(printf \"[[:space:]]%s[[:space:]]\" /dev/shm)\"\n\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\n if [ \"$(grep -c \"$mount_point_match_regexp\" /etc/fstab)\" -eq 0 ]; then\n # runtime opts without some automatic kernel/userspace-added defaults\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/mtab | head -1 | awk '{print $4}' \\\n | sed -E \"s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//\")\n [ \"$previous_mount_opts\" ] && previous_mount_opts+=\",\"\n echo \"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0\" >> /etc/fstab\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\n elif [ \"$(grep \"$mount_point_match_regexp\" /etc/fstab | grep -c \"nosuid\")\" -eq 0 ]; then\n previous_mount_opts=$(grep \"$mount_point_match_regexp\" /etc/fstab | awk '{print $4}')\n sed -i \"s|\\(${mount_point_match_regexp}.*${previous_mount_opts}\\)|\\1,nosuid|\" /etc/fstab\n fi\n\n if mkdir -p \"/dev/shm\"; then\n if mountpoint -q \"/dev/shm\"; then\n mount -o remount --target \"/dev/shm\"\n else\n mount --target \"/dev/shm\"\n fi\n fi\n}\n\nperform_remediation\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -97214,7 +97214,7 @@ }, "refs": [], "id": "no_all_squash_exports", - "title": "undefined title", + "title": "Ensure All-Squashing Disabled On All Exports", "desc": "Themaps all uids and gids to an anonymous user.\nThis should be disabled by removing any instances of theoption from the file.", "impact": 0.3, "descs": {} @@ -97382,145 +97382,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -97675,11 +97675,11 @@ } ], "id": "no_direct_root_logins", - "title": "undefined title", + "title": "Direct root Logins Not Allowed", "desc": "To further limit access to theaccount, administrators\ncan disable root logins at the console by editing thefile.\nThis file lists all devices the root user is allowed to login to. If the file does\nnot exist at all, the root user can login through any communication device on the\nsystem, whether via the console or via a raw network interface. This is dangerous\nas user can login to the system as root via Telnet, which sends the password in\nplain text over the network. By default, Ubuntu 20.04'sfile only allows the root user to login at the console\nphysically attached to the system. To prevent root from logging in, remove the\ncontents of this file. To prevent direct root logins, remove the contents of this\nfile by typing the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\necho > /etc/securetty\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\necho > /etc/securetty\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -97892,157 +97892,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -98299,7 +98299,7 @@ } ], "id": "no_empty_passwords", - "title": "undefined title", + "title": "Prevent Login to Accounts With Empty Password", "desc": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of theinto prevent logins with empty passwords.\nNote that this rule is not applicable for systems running within a\ncontainer. Having user with empty password within a container is not\nconsidered a risk, because it should not be possible to directly login into\na container anyway.", "impact": 0.7, "descs": {} @@ -98466,277 +98466,277 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -98969,7 +98969,7 @@ } ], "id": "no_files_unowned_by_user", - "title": "undefined title", + "title": "Ensure All Files Are Owned by a User", "desc": "If any files are not owned by a user, then the\ncause of their lack of ownership should be investigated.\nFollowing this, the files should be deleted or assigned to an\nappropriate user. The following command will discover and print\nany files on local partitions which do not belong to a valid user:To search all filesystems on a system including network mounted\nfilesystems the following command can be run manually for each partition:", "impact": 0.5, "descs": {} @@ -99100,253 +99100,253 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -99585,7 +99585,7 @@ } ], "id": "no_netrc_files", - "title": "undefined title", + "title": "Verify No netrc Files Exist", "desc": "Thefiles contain login information\nused to auto-login into FTP servers and reside in the user's home\ndirectory. These files may contain unencrypted passwords to\nremote FTP servers making them susceptible to access by unauthorized\nusers and should not be used. Anyfiles should be removed.", "impact": 0.5, "descs": {} @@ -99667,7 +99667,7 @@ } ], "id": "no_password_auth_for_systemaccounts", - "title": "undefined title", + "title": "Ensure that System Accounts Are Locked", "desc": "Some accounts are not associated with a human user of the system, and exist to\nperform some administrative function. An attacker should not be able to log into\nthese accounts.System accounts are those user accounts with a user ID\nless than UID_MIN, where value of the UID_MIN directive is set inconfiguration file. In the default configuration UID_MIN is set\nto 500, thus system accounts are those user accounts with a user ID less than\n500. If any system account(other than root) has an unlocked password,\ndisable it with the command:", "impact": 0.5, "descs": {} @@ -99834,319 +99834,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -100271,7 +100271,7 @@ } ], "id": "no_rsh_trust_files", - "title": "undefined title", + "title": "Remove Rsh Trust Files", "desc": "The filesand(in\neach user's home directory) list remote hosts and users that are trusted by the\nlocal system when using the rshd daemon.\nTo remove these files, run the following command to delete them from any\nlocation:", "impact": 0.7, "descs": {} @@ -100402,97 +100402,97 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -100653,7 +100653,7 @@ } ], "id": "no_shelllogin_for_systemaccounts", - "title": "undefined title", + "title": "Ensure that System Accounts Do Not Run a Shell Upon Login", "desc": "Some accounts are not associated with a human user of the system, and exist to\nperform some administrative function. Should an attacker be able to log into\nthese accounts, they should not be granted access to a shell.The login shell for each local account is stored in the last field of each line\nin. System accounts are those user accounts with a user ID\nless than UID_MIN, where value of UID_MIN directive is set in\n/etc/login.defs configuration file. In the default configuration UID_MIN is set\nto 1000, thus system accounts are those user accounts with a user ID less than\n1000. The user ID is stored in the third field. If any system account(other than root) has a login shell, disable it with the\ncommand:", "impact": 0.5, "descs": {} @@ -100742,67 +100742,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -100867,7 +100867,7 @@ } ], "id": "ntpd_specify_multiple_servers", - "title": "undefined title", + "title": "Specify Additional Remote NTP Servers", "desc": "Additional NTP servers can be specified for time synchronization\nin the file. To do so, add additional lines of the\nfollowing form, substituting the IP address or hostname of a remote NTP server for:", "impact": 0.5, "descs": {} @@ -100956,67 +100956,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -101081,7 +101081,7 @@ } ], "id": "ntpd_specify_remote_server", - "title": "undefined title", + "title": "Specify a Remote NTP Server", "desc": "To specify a remote NTP server for time synchronization, edit\nthe file. Add or correct the following lines,\nsubstituting the IP or hostname of a remote NTP server for:This instructs the NTP software to contact that remote server to obtain time\ndata.", "impact": 0.5, "descs": {} @@ -101411,199 +101411,199 @@ { "ref": "4.2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.2.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -102028,7 +102028,7 @@ } ], "id": "package_MFEhiplsm_installed", - "title": "undefined title", + "title": "Install the Host Intrusion Prevention System (HIPS) Module", "desc": "Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\nnecessary. If SELinux is enabled, do not install or enable this module.", "impact": 0.5, "descs": { @@ -102264,61 +102264,61 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -102473,11 +102473,11 @@ } ], "id": "package_aide_installed", - "title": "undefined title", + "title": "Install AIDE", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"aide\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -102510,11 +102510,11 @@ } ], "id": "package_audit-audispd-plugins_installed", - "title": "undefined title", + "title": "Ensure the default plugins for the audit dispatcher are Installed", "desc": "The audit-audispd-plugins package should be installed.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"audit-audispd-plugins\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"audit-audispd-plugins\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -102769,11 +102769,11 @@ } ], "id": "package_audit_installed", - "title": "undefined title", + "title": "Ensure the audit Subsystem is Installed", "desc": "The audit package should be installed.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"auditd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"auditd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -102867,265 +102867,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -103202,7 +103202,7 @@ } ], "id": "package_bind_removed", - "title": "undefined title", + "title": "Uninstall bind Package", "desc": "Theservice is provided by thepackage.\nThepackage can be removed with the following command:", "impact": 0.3, "descs": { @@ -103245,11 +103245,11 @@ } ], "id": "package_chrony_installed", - "title": "undefined title", + "title": "The Chrony package is installed", "desc": "System time should be synchronized between all systems in an environment. This is\ntypically done by establishing an authoritative time server or set of servers and having all\nsystems synchronize their clocks to them.\nThepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"chrony\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"chrony\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -103343,265 +103343,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -103666,11 +103666,11 @@ } ], "id": "package_cron_installed", - "title": "undefined title", + "title": "Install the cron service", "desc": "The Cron service should be installed.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"cron\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"cron\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -103770,265 +103770,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -104105,7 +104105,7 @@ } ], "id": "package_dhcp_removed", - "title": "undefined title", + "title": "Uninstall DHCP Server Package", "desc": "If the system does not need to act as a DHCP server,\nthe dhcp package can be uninstalled.\n\nThepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -104130,7 +104130,7 @@ } ], "id": "package_dovecot_removed", - "title": "undefined title", + "title": "Uninstall dovecot Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -104179,11 +104179,11 @@ } ], "id": "package_gdm_removed", - "title": "undefined title", + "title": "Remove the GDM Package Group", "desc": "By removing thepackage, the system no longer has GNOME installed\n\ninstalled. If X Windows is not installed then the system cannot boot into graphical user mode.\nThis prevents the system from being accidentally or maliciously booted into amode. To do so, run the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# CAUTION: This remediation script will remove gdm3\n#\t from the system, and may remove any packages\n#\t that depend on gdm3. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"gdm3\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# CAUTION: This remediation script will remove gdm3\n#\t from the system, and may remove any packages\n#\t that depend on gdm3. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"gdm3\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -104210,7 +104210,7 @@ } ], "id": "package_gnutls-utils_installed", - "title": "undefined title", + "title": "Ensure gnutls-utils is installed", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { @@ -104302,265 +104302,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -104637,7 +104637,7 @@ } ], "id": "package_httpd_removed", - "title": "undefined title", + "title": "Uninstall httpd Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -104765,319 +104765,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -105202,7 +105202,7 @@ } ], "id": "package_inetutils-telnetd_removed", - "title": "undefined title", + "title": "Uninstall the inet-based telnet server", "desc": "The inet-based telnet daemon should be uninstalled.", "impact": 0.7, "descs": { @@ -105239,7 +105239,7 @@ } ], "id": "package_iptables_installed", - "title": "undefined title", + "title": "Install iptables Package", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { @@ -105264,7 +105264,7 @@ } ], "id": "package_net-snmp_removed", - "title": "undefined title", + "title": "Uninstall net-snmp Package", "desc": "Thepackage provides the snmpd service.\nThepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -105289,7 +105289,7 @@ } ], "id": "package_nis_removed", - "title": "undefined title", + "title": "Uninstall the nis package", "desc": "The support for Yellowpages should not be installed unless it is required.", "impact": 0.3, "descs": { @@ -105320,7 +105320,7 @@ } ], "id": "package_nss-tools_installed", - "title": "undefined title", + "title": "Ensure nss-tools is installed", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { @@ -105430,67 +105430,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -105543,11 +105543,11 @@ } ], "id": "package_ntp_installed", - "title": "undefined title", + "title": "Install the ntp service", "desc": "The ntpd service should be installed.", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"ntp\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"ntp\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -105561,7 +105561,7 @@ }, "refs": [], "id": "package_ntpdate_removed", - "title": "undefined title", + "title": "Uninstall the ntpdate package", "desc": "ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.", "impact": 0.3, "descs": { @@ -105586,7 +105586,7 @@ } ], "id": "package_openldap-clients_removed", - "title": "undefined title", + "title": "Ensure LDAP client is not installed", "desc": "The Lightweight Directory Access Protocol (LDAP) is a service that provides\na method for looking up information from a central database.\nThepackage can be removed with the following command:", "impact": 0.3, "descs": { @@ -105684,265 +105684,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -106019,7 +106019,7 @@ } ], "id": "package_openldap-servers_removed", - "title": "undefined title", + "title": "Uninstall openldap-servers Package", "desc": "The slapd package is not installed by default on a Ubuntu 20.04\n\nsystem. It is needed only by the OpenLDAP server, not by the\nclients which use LDAP for authentication. If the system is not\nintended for use as an LDAP Server it should be removed.", "impact": 0.3, "descs": { @@ -106074,11 +106074,11 @@ } ], "id": "package_opensc_installed", - "title": "undefined title", + "title": "Install the opensc Package For Multifactor Authentication", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"opensc-pkcs11\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"opensc-pkcs11\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -106166,31 +106166,31 @@ { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -106393,11 +106393,11 @@ } ], "id": "package_openssh-server_installed", - "title": "undefined title", + "title": "Install the OpenSSH Server Package", "desc": "Thepackage should be installed.\nThepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"openssh-server\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"openssh-server\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -106411,11 +106411,11 @@ }, "refs": [], "id": "package_openssh-server_removed", - "title": "undefined title", + "title": "Remove the OpenSSH Server Package", "desc": "Thepackage should be removed.\nThepackage can be removed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# CAUTION: This remediation script will remove openssh-server\n#\t from the system, and may remove any packages\n#\t that depend on openssh-server. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"openssh-server\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# CAUTION: This remediation script will remove openssh-server\n#\t from the system, and may remove any packages\n#\t that depend on openssh-server. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"openssh-server\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -106448,7 +106448,7 @@ } ], "id": "package_pam_pwquality_installed", - "title": "undefined title", + "title": "Install pam_pwquality Package", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { @@ -106618,319 +106618,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -107073,7 +107073,7 @@ } ], "id": "package_rsh-server_removed", - "title": "undefined title", + "title": "Uninstall rsh-server Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.7, "descs": { @@ -107182,7 +107182,7 @@ } ], "id": "package_rsh_removed", - "title": "undefined title", + "title": "Uninstall rsh Package", "desc": "Thepackage contains the client commands\n\nfor the rsh services", "impact": 0.5, "descs": { @@ -107316,67 +107316,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -107441,11 +107441,11 @@ } ], "id": "package_rsyslog_installed", - "title": "undefined title", + "title": "Ensure rsyslog is Installed", "desc": "Rsyslog is installed by default. Thepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"rsyslog\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"rsyslog\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -107466,7 +107466,7 @@ } ], "id": "package_samba_removed", - "title": "undefined title", + "title": "Uninstall Samba Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -107491,7 +107491,7 @@ } ], "id": "package_squid_removed", - "title": "undefined title", + "title": "Uninstall squid Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -107534,11 +107534,11 @@ } ], "id": "package_sudo_installed", - "title": "undefined title", + "title": "Install sudo Package", "desc": "Thepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"sudo\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"sudo\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -107650,67 +107650,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -107757,11 +107757,11 @@ } ], "id": "package_syslogng_installed", - "title": "undefined title", + "title": "Ensure syslog-ng is Installed", "desc": "syslog-ng can be installed in replacement of rsyslog.\nThepackage can be installed with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"syslogng\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"syslogng\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -107824,7 +107824,7 @@ } ], "id": "package_talk_removed", - "title": "undefined title", + "title": "Uninstall talk Package", "desc": "Thepackage contains the client program for the\nInternet talk protocol, which allows the user to chat with other users on\ndifferent systems. Talk is a communication program which copies lines from one\nterminal to the terminal of another user.\nThepackage can be removed with the following command:", "impact": 0.5, "descs": { @@ -107933,7 +107933,7 @@ } ], "id": "package_telnet_removed", - "title": "undefined title", + "title": "Remove telnet Clients", "desc": "The telnet client allows users to start connections to other systems via\nthe telnet protocol.", "impact": 0.3, "descs": { @@ -108061,319 +108061,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -108498,7 +108498,7 @@ } ], "id": "package_telnetd-ssl_removed", - "title": "undefined title", + "title": "Uninstall the ssl compliant telnet server", "desc": "Thedaemon, even with ssl support, should be uninstalled.", "impact": 0.7, "descs": { @@ -108632,319 +108632,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -109075,7 +109075,7 @@ } ], "id": "package_telnetd_removed", - "title": "undefined title", + "title": "Uninstall the telnet server", "desc": "The telnet daemon should be uninstalled.", "impact": 0.7, "descs": { @@ -109185,67 +109185,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -109298,11 +109298,11 @@ } ], "id": "package_timesyncd_installed", - "title": "undefined title", + "title": "Install the systemd_timesyncd Service", "desc": "The systemd_timesyncd service should be installed.", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"systemd-timesyncd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nDEBIAN_FRONTEND=noninteractive apt-get install -y \"systemd-timesyncd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -109408,265 +109408,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -109785,7 +109785,7 @@ } ], "id": "package_vsftpd_removed", - "title": "undefined title", + "title": "Uninstall vsftpd Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.7, "descs": { @@ -109961,319 +109961,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -110398,11 +110398,11 @@ } ], "id": "package_xinetd_removed", - "title": "undefined title", + "title": "Uninstall xinetd Package", "desc": "Thepackage can be removed with the following command:", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# CAUTION: This remediation script will remove xinetd\n#\t from the system, and may remove any packages\n#\t that depend on xinetd. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"xinetd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n# CAUTION: This remediation script will remove xinetd\n#\t from the system, and may remove any packages\n#\t that depend on xinetd. Execute this\n#\t remediation AFTER testing on a non-production\n#\t system!\n\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \"xinetd\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -110472,79 +110472,79 @@ { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -110621,7 +110621,7 @@ } ], "id": "package_xorg-x11-server-common_removed", - "title": "undefined title", + "title": "Remove the X Windows Package Group", "desc": "By removing the xorg-x11-server-common package, the system no longer has X Windows\ninstalled. If X Windows is not installed then the system cannot boot into graphical user mode.\nThis prevents the system from being accidentally or maliciously booted into amode. To do so, run the following command:", "impact": 0.5, "descs": { @@ -110694,61 +110694,61 @@ { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -110795,7 +110795,7 @@ } ], "id": "partition_for_home", - "title": "undefined title", + "title": "Ensure /home Located On Separate Partition", "desc": "If user home directories will be stored locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.", "impact": 0.3, "descs": {} @@ -110817,7 +110817,7 @@ } ], "id": "partition_for_srv", - "title": "undefined title", + "title": "Ensure /srv Located On Separate Partition", "desc": "If a file server (FTP, TFTP...) is hosted locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.", "impact": 0.5, "descs": {} @@ -110882,61 +110882,61 @@ { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -110983,7 +110983,7 @@ } ], "id": "partition_for_tmp", - "title": "undefined title", + "title": "Ensure /tmp Located On Separate Partition", "desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.", "impact": 0.3, "descs": {} @@ -111048,61 +111048,61 @@ { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -111149,7 +111149,7 @@ } ], "id": "partition_for_var", - "title": "undefined title", + "title": "Ensure /var Located On Separate Partition", "desc": "Thedirectory is used by daemons and other system\nservices to store frequently-changing data. Ensure thathas its own partition\nor logical volume at installation time, or migrate it using LVM.", "impact": 0.3, "descs": {} @@ -111286,127 +111286,127 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -111501,7 +111501,7 @@ } ], "id": "partition_for_var_log", - "title": "undefined title", + "title": "Ensure /var/log Located On Separate Partition", "desc": "System logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.", "impact": 0.5, "descs": {} @@ -111662,133 +111662,133 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -111907,7 +111907,7 @@ } ], "id": "partition_for_var_log_audit", - "title": "undefined title", + "title": "Ensure /var/log/audit Located On Separate Partition", "desc": "Audit logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.", "impact": 0.3, "descs": {} @@ -111941,7 +111941,7 @@ } ], "id": "partition_for_var_tmp", - "title": "undefined title", + "title": "Ensure /var/tmp Located On Separate Partition", "desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.", "impact": 0.3, "descs": {} @@ -112005,7 +112005,7 @@ } ], "id": "permissions_local_var_log", - "title": "undefined title", + "title": "Verify permissions of log files", "desc": "Any operating system providing too much information in error messages\nrisks compromising the data and security of the structure, and content\nof error messages needs to be carefully considered by the organization.\n\nOrganizations carefully consider the structure/content of error messages.\nThe extent to which information systems are able to identify and handle\nerror conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes,\nfor example, erroneous logon attempts with passwords entered by mistake\nas the username, mission/business information that can be derived from\n(if not stated explicitly by) information recorded, and personal\ninformation, such as account numbers, social security numbers, and credit\ncard numbers.", "impact": 0.5, "descs": {} @@ -112039,7 +112039,7 @@ } ], "id": "policy_temp_passwords_immediate_change", - "title": "undefined title", + "title": "Policy Requires Immediate Change of Temporary Passwords", "desc": "Temporary passwords for Ubuntu 20.04 operating system logons must\nrequire an immediate change to a permanent password.\n\nVerify that a policy exists that ensures when a user is created, it is\ncreating using a method that forces a user to change their password upon\ntheir next login.", "impact": 0.5, "descs": {} @@ -112086,11 +112086,11 @@ } ], "id": "postfix_client_configure_mail_alias", - "title": "undefined title", + "title": "Configure System to Forward All Mail For The Root Account", "desc": "Make sure that mails delivered to root user are forwarded to a monitored\nemail address. Make sure that the addressis a valid email address\nreachable from the system in question. Use the following command to\nconfigure the alias:", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_postfix_root_mail_alias=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/aliases\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^root\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s: %s\" \"$stripped_key\" \"$var_postfix_root_mail_alias\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^root\\\\>\" \"/etc/aliases\"; then\n \"${sed_command[@]}\" \"s/^root\\\\>.*/$formatted_output/gi\" \"/etc/aliases\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/aliases\" >> \"/etc/aliases\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/aliases\"\nfi\n\nnewaliases\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_postfix_root_mail_alias=\"\"\n\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/aliases\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^root\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s: %s\" \"$stripped_key\" \"$var_postfix_root_mail_alias\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^root\\\\>\" \"/etc/aliases\"; then\n \"${sed_command[@]}\" \"s/^root\\\\>.*/$formatted_output/gi\" \"/etc/aliases\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/aliases\" >> \"/etc/aliases\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/aliases\"\nfi\n\nnewaliases\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -112103,7 +112103,7 @@ }, "refs": [], "id": "postfix_client_configure_relayhost", - "title": "undefined title", + "title": "Configure System to Forward All Mail through a specific host", "desc": "Set up a relay host that will act as a gateway for all outbound email.\nEdit the fileto ensure that only the followingline appears:", "impact": 0.5, "descs": {} @@ -112125,7 +112125,7 @@ } ], "id": "prefer_64bit_os", - "title": "undefined title", + "title": "Prefer to use a 64-bit Operating System when supported", "desc": "Prefer installation of 64-bit operating systems when the CPU supports it.", "impact": 0.5, "descs": {} @@ -112299,19 +112299,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -112532,7 +112532,7 @@ } ], "id": "restrict_serial_port_logins", - "title": "undefined title", + "title": "Restrict Serial Port Root Logins", "desc": "To restrict root logins on serial ports,\nensure lines of this form do not appear in:", "impact": 0.5, "descs": { @@ -112599,19 +112599,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -112670,7 +112670,7 @@ } ], "id": "root_path_no_dot", - "title": "undefined title", + "title": "Ensure that Root's Path Does Not Include Relative Paths or Null Directories", "desc": "Ensure that none of the directories in root's path is equal to a singlecharacter, or\nthat it contains any instances that lead to relative path traversal, such asor beginning a path without the slash () character.\nAlso ensure that there are no \"empty\" elements in the path, such as in these examples:These empty elements have the same effect as a singlecharacter.", "impact": 0.5, "descs": {} @@ -112759,67 +112759,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -112914,7 +112914,7 @@ } ], "id": "rsyslog_accept_remote_messages_tcp", - "title": "undefined title", + "title": "Enable rsyslog to Accept Messages via TCP, if Acting As Log Server", "desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over TCP:", "impact": 0.5, "descs": {} @@ -113003,67 +113003,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -113158,7 +113158,7 @@ } ], "id": "rsyslog_accept_remote_messages_udp", - "title": "undefined title", + "title": "Enable rsyslog to Accept Messages via UDP, if Acting As Log Server", "desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over UDP:", "impact": 0.5, "descs": {} @@ -113198,7 +113198,7 @@ } ], "id": "rsyslog_encrypt_offload_actionsendstreamdriverauthmode", - "title": "undefined title", + "title": "Ensure Rsyslog Authenticates Off-Loaded Audit Records", "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs the remote system must be authenticated.", "impact": 0.5, "descs": {} @@ -113238,7 +113238,7 @@ } ], "id": "rsyslog_encrypt_offload_actionsendstreamdrivermode", - "title": "undefined title", + "title": "Ensure Rsyslog Encrypts Off-Loaded Audit Records", "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off a encrpytion system must be used.", "impact": 0.5, "descs": {} @@ -113278,7 +113278,7 @@ } ], "id": "rsyslog_encrypt_offload_defaultnetstreamdriver", - "title": "undefined title", + "title": "Ensure Rsyslog Encrypts Off-Loaded Audit Records", "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off a encrpytion system must be used.", "impact": 0.5, "descs": {} @@ -113385,19 +113385,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -113630,7 +113630,7 @@ } ], "id": "rsyslog_files_groupownership", - "title": "undefined title", + "title": "Ensure Log Files Are Owned By Appropriate Group", "desc": "The group-owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's group owner:If the owner is not, run the following command to\ncorrect this:", "impact": 0.5, "descs": {} @@ -113737,19 +113737,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -113982,7 +113982,7 @@ } ], "id": "rsyslog_files_ownership", - "title": "undefined title", + "title": "Ensure Log Files Are Owned By Appropriate User", "desc": "The owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's owner:If the owner is not, run the following command to\ncorrect this:", "impact": 0.5, "descs": {} @@ -114088,7 +114088,7 @@ } ], "id": "rsyslog_files_permissions", - "title": "undefined title", + "title": "Ensure System Log Files Have Correct Permissions", "desc": "The file permissions for all log files written byshould\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line inand typically\nall appear in. For each log filereferenced in, run the following command to\ninspect the file's permissions:If the permissions are not 600 or more restrictive, run the following\ncommand to correct this:\"", "impact": 0.5, "descs": {} @@ -114128,7 +114128,7 @@ } ], "id": "rsyslog_remote_access_monitoring", - "title": "undefined title", + "title": "Ensure remote access methods are monitored in Rsyslog", "desc": "Logging of remote access methods must be implemented to help identify cyber\nattacks and ensure ongoing compliance with remote access policies are being\naudited and upheld. An examples of a remote access method is the use of the\nRemote Desktop Protocol (RDP) from an external, non-organization controlled\nnetwork. Theorfile should contain a match for the following\nselectors:,, and. If\nnot, use the following as an example configuration:", "impact": 0.5, "descs": {} @@ -114343,79 +114343,79 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -114528,7 +114528,7 @@ } ], "id": "rsyslog_remote_loghost", - "title": "undefined title", + "title": "Ensure Logs Sent To Remote Host", "desc": "To configure rsyslog to send logs to a remote log server,\nopenand read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstitutingappropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.To use UDP for log message delivery:To use TCP for log message delivery:To use RELP for log message delivery:There must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.", "impact": 0.5, "descs": {} @@ -114702,19 +114702,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -114941,7 +114941,7 @@ } ], "id": "securetty_root_login_console_only", - "title": "undefined title", + "title": "Restrict Virtual Console Root Logins", "desc": "To restrict root logins through the (deprecated) virtual console devices,\nensure lines of this form do not appear in:", "impact": 0.5, "descs": { @@ -115206,391 +115206,391 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -115955,7 +115955,7 @@ } ], "id": "selinux_state", - "title": "undefined title", + "title": "Ensure SELinux State is Enforcing", "desc": "The SELinux state should be set toat\nsystem boot time. In the file, add or correct the\nfollowing line to configure the system to boot into enforcing mode:", "impact": 0.5, "descs": {} @@ -115971,7 +115971,7 @@ }, "refs": [], "id": "service_apport_disabled", - "title": "undefined title", + "title": "Disable Apport Service", "desc": "The Apport modifies certain kernel configuration values at\nruntime which may decrease the overall security of the system and expose sensitive data.\n\nTheservice can be disabled with the following command:", "impact": 0.5, "descs": { @@ -116405,187 +116405,187 @@ { "ref": "4.2.3.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -116920,11 +116920,11 @@ } ], "id": "service_auditd_enabled", - "title": "undefined title", + "title": "Enable auditd Service", "desc": "Theservice is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nTheservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; }; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'auditd.service'\n\"$SYSTEMCTL_EXEC\" start 'auditd.service'\n\"$SYSTEMCTL_EXEC\" enable 'auditd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'audit' 2>/dev/null | grep -q installed; }; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'auditd.service'\n\"$SYSTEMCTL_EXEC\" start 'auditd.service'\n\"$SYSTEMCTL_EXEC\" enable 'auditd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -117096,157 +117096,157 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -117407,11 +117407,11 @@ } ], "id": "service_autofs_disabled", - "title": "undefined title", + "title": "Disable the Automounter", "desc": "Thedaemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editingrather than relying on the automounter.Theservice can be disabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'autofs.service'\n\"$SYSTEMCTL_EXEC\" disable 'autofs.service'\n\"$SYSTEMCTL_EXEC\" mask 'autofs.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^autofs.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'autofs.socket'\n \"$SYSTEMCTL_EXEC\" mask 'autofs.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'autofs.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'autofs.service'\n\"$SYSTEMCTL_EXEC\" disable 'autofs.service'\n\"$SYSTEMCTL_EXEC\" mask 'autofs.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^autofs.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'autofs.socket'\n \"$SYSTEMCTL_EXEC\" mask 'autofs.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'autofs.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -117505,265 +117505,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -117840,11 +117840,11 @@ } ], "id": "service_avahi-daemon_disabled", - "title": "undefined title", + "title": "Disable Avahi Server Software", "desc": "Theservice can be disabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'avahi-daemon.service'\n\"$SYSTEMCTL_EXEC\" disable 'avahi-daemon.service'\n\"$SYSTEMCTL_EXEC\" mask 'avahi-daemon.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^avahi-daemon.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'avahi-daemon.socket'\n \"$SYSTEMCTL_EXEC\" mask 'avahi-daemon.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'avahi-daemon.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'avahi-daemon.service'\n\"$SYSTEMCTL_EXEC\" disable 'avahi-daemon.service'\n\"$SYSTEMCTL_EXEC\" mask 'avahi-daemon.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^avahi-daemon.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'avahi-daemon.socket'\n \"$SYSTEMCTL_EXEC\" mask 'avahi-daemon.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'avahi-daemon.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -117858,11 +117858,11 @@ }, "refs": [], "id": "service_chronyd_enabled", - "title": "undefined title", + "title": "The Chronyd service is enabled", "desc": "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at.\nChrony can be configured to be a client and/or a server.\nTo enable Chronyd service, you can run:This recommendation only applies if chrony is in use on the system.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'chronyd.service'\n\"$SYSTEMCTL_EXEC\" start 'chronyd.service'\n\"$SYSTEMCTL_EXEC\" enable 'chronyd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'chronyd.service'\n\"$SYSTEMCTL_EXEC\" start 'chronyd.service'\n\"$SYSTEMCTL_EXEC\" enable 'chronyd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -117967,67 +117967,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -118086,7 +118086,7 @@ } ], "id": "service_chronyd_or_ntpd_enabled", - "title": "undefined title", + "title": "Enable the NTP Daemon", "desc": "Run the following command to determine the current status of theservice:If the service is running, it should return the following:Note: Thedaemon is enabled by default.Run the following command to determine the current status of theservice:If the service is running, it should return the following:Note: Thedaemon is not enabled by default. Though as mentioned\nin the previous sections in certain environments thedaemon might\nbe preferred to be used rather than theone. Refer to:for guidance which NTP daemon to choose depending on the environment used.", "impact": 0.5, "descs": {} @@ -118176,265 +118176,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -118499,11 +118499,11 @@ } ], "id": "service_cron_enabled", - "title": "undefined title", + "title": "Enable cron Service", "desc": "Theservice is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity.\n\nTheservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'cron.service'\n\"$SYSTEMCTL_EXEC\" start 'cron.service'\n\"$SYSTEMCTL_EXEC\" enable 'cron.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'cron.service'\n\"$SYSTEMCTL_EXEC\" start 'cron.service'\n\"$SYSTEMCTL_EXEC\" enable 'cron.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -118591,265 +118591,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -118926,11 +118926,11 @@ } ], "id": "service_cups_disabled", - "title": "undefined title", + "title": "Disable the CUPS Service", "desc": "Theservice can be disabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'cups.service'\n\"$SYSTEMCTL_EXEC\" disable 'cups.service'\n\"$SYSTEMCTL_EXEC\" mask 'cups.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^cups.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'cups.socket'\n \"$SYSTEMCTL_EXEC\" mask 'cups.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'cups.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'cups.service'\n\"$SYSTEMCTL_EXEC\" disable 'cups.service'\n\"$SYSTEMCTL_EXEC\" mask 'cups.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^cups.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'cups.socket'\n \"$SYSTEMCTL_EXEC\" mask 'cups.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'cups.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -119108,337 +119108,337 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -119725,11 +119725,11 @@ } ], "id": "service_ip6tables_enabled", - "title": "undefined title", + "title": "Verify ip6tables Enabled if Using IPv6", "desc": "Theservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ip6tables.service'\n\"$SYSTEMCTL_EXEC\" start 'ip6tables.service'\n\"$SYSTEMCTL_EXEC\" enable 'ip6tables.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ip6tables.service'\n\"$SYSTEMCTL_EXEC\" start 'ip6tables.service'\n\"$SYSTEMCTL_EXEC\" enable 'ip6tables.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -119913,337 +119913,337 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -120530,11 +120530,11 @@ } ], "id": "service_iptables_enabled", - "title": "undefined title", + "title": "Verify iptables Enabled", "desc": "Theservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'iptables.service'\n\"$SYSTEMCTL_EXEC\" start 'iptables.service'\n\"$SYSTEMCTL_EXEC\" enable 'iptables.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'iptables.service'\n\"$SYSTEMCTL_EXEC\" start 'iptables.service'\n\"$SYSTEMCTL_EXEC\" enable 'iptables.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -120700,319 +120700,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -121155,11 +121155,11 @@ } ], "id": "service_kdump_disabled", - "title": "undefined title", + "title": "Disable KDump Kernel Crash Analyzer (kdump)", "desc": "Theservice provides a kernel crash dump analyzer. It uses thesystem call to boot a secondary kernel (\"capture\" kernel) following a system\ncrash, which can load information from the crashed kernel for analysis.\n\nTheservice can be disabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'kdump.service'\n\"$SYSTEMCTL_EXEC\" disable 'kdump.service'\n\"$SYSTEMCTL_EXEC\" mask 'kdump.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^kdump.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'kdump.socket'\n \"$SYSTEMCTL_EXEC\" mask 'kdump.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'kdump.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'kdump.service'\n\"$SYSTEMCTL_EXEC\" disable 'kdump.service'\n\"$SYSTEMCTL_EXEC\" mask 'kdump.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^kdump.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'kdump.socket'\n \"$SYSTEMCTL_EXEC\" mask 'kdump.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'kdump.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -121172,11 +121172,11 @@ }, "refs": [], "id": "service_netfs_disabled", - "title": "undefined title", + "title": "Disable Network File Systems (netfs)", "desc": "The netfs script manages the boot-time mounting of several types\nof networked filesystems, of which NFS and Samba are the most common. If these\nfilesystem types are not in use, the script can be disabled, protecting the\nsystem somewhat against accidental or malicious changes toand against flaws in the netfs script itself.\n\nTheservice can be disabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'netfs.service'\n\"$SYSTEMCTL_EXEC\" disable 'netfs.service'\n\"$SYSTEMCTL_EXEC\" mask 'netfs.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^netfs.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'netfs.socket'\n \"$SYSTEMCTL_EXEC\" mask 'netfs.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'netfs.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'netfs.service'\n\"$SYSTEMCTL_EXEC\" disable 'netfs.service'\n\"$SYSTEMCTL_EXEC\" mask 'netfs.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^netfs.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'netfs.socket'\n \"$SYSTEMCTL_EXEC\" mask 'netfs.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'netfs.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -121282,67 +121282,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -121401,11 +121401,11 @@ } ], "id": "service_ntp_enabled", - "title": "undefined title", + "title": "Enable the NTP Daemon", "desc": "Theservice can be enabled with the following command:", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ntp.service'\n\"$SYSTEMCTL_EXEC\" start 'ntp.service'\n\"$SYSTEMCTL_EXEC\" enable 'ntp.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ntp.service'\n\"$SYSTEMCTL_EXEC\" start 'ntp.service'\n\"$SYSTEMCTL_EXEC\" enable 'ntp.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -121493,67 +121493,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -121612,11 +121612,11 @@ } ], "id": "service_ntpd_enabled", - "title": "undefined title", + "title": "Enable the NTP Daemon", "desc": "Theservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'ntp' 2>/dev/null | grep -q installed; }; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ntpd.service'\n\"$SYSTEMCTL_EXEC\" start 'ntpd.service'\n\"$SYSTEMCTL_EXEC\" enable 'ntpd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\n' 'ntp' 2>/dev/null | grep -q installed; }; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ntpd.service'\n\"$SYSTEMCTL_EXEC\" start 'ntpd.service'\n\"$SYSTEMCTL_EXEC\" enable 'ntpd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -121884,97 +121884,97 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -122099,11 +122099,11 @@ } ], "id": "service_rsyslog_enabled", - "title": "undefined title", + "title": "Enable rsyslog Service", "desc": "Theservice provides syslog-style logging by default on Ubuntu 20.04.\n\nTheservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'rsyslog.service'\n\"$SYSTEMCTL_EXEC\" start 'rsyslog.service'\n\"$SYSTEMCTL_EXEC\" enable 'rsyslog.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'rsyslog.service'\n\"$SYSTEMCTL_EXEC\" start 'rsyslog.service'\n\"$SYSTEMCTL_EXEC\" enable 'rsyslog.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -122116,11 +122116,11 @@ }, "refs": [], "id": "service_sshd_disabled", - "title": "undefined title", + "title": "Disable SSH Server If Possible (Unusual)", "desc": "The SSH server service, sshd, is commonly needed.\nHowever, if it can be disabled, do so.\n\n\nTheservice can be disabled with the following command:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'sshd.service'\n\"$SYSTEMCTL_EXEC\" disable 'sshd.service'\n\"$SYSTEMCTL_EXEC\" mask 'sshd.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^sshd.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'sshd.socket'\n \"$SYSTEMCTL_EXEC\" mask 'sshd.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'sshd.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" stop 'sshd.service'\n\"$SYSTEMCTL_EXEC\" disable 'sshd.service'\n\"$SYSTEMCTL_EXEC\" mask 'sshd.service'\n# Disable socket activation if we have a unit file for it\nif \"$SYSTEMCTL_EXEC\" list-unit-files | grep -q '^sshd.socket'; then\n \"$SYSTEMCTL_EXEC\" stop 'sshd.socket'\n \"$SYSTEMCTL_EXEC\" mask 'sshd.socket'\nfi\n# The service may not be running because it has been started and failed,\n# so let's reset the state so OVAL checks pass.\n# Service should be 'inactive', not 'failed' after reboot though.\n\"$SYSTEMCTL_EXEC\" reset-failed 'sshd.service' || true\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -122226,31 +122226,31 @@ { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -122471,11 +122471,11 @@ } ], "id": "service_sshd_enabled", - "title": "undefined title", + "title": "Enable the OpenSSH Service", "desc": "The SSH server service, sshd, is commonly needed.\n\nTheservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ssh.service'\n\"$SYSTEMCTL_EXEC\" start 'ssh.service'\n\"$SYSTEMCTL_EXEC\" enable 'ssh.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'ssh.service'\n\"$SYSTEMCTL_EXEC\" start 'ssh.service'\n\"$SYSTEMCTL_EXEC\" enable 'ssh.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -122725,97 +122725,97 @@ { "ref": "4.3.2.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -122928,11 +122928,11 @@ } ], "id": "service_syslogng_enabled", - "title": "undefined title", + "title": "Enable syslog-ng Service", "desc": "Theservice (in replacement of rsyslog) provides syslog-style logging by default on Debian.\n\nTheservice can be enabled with the following command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'syslogng.service'\n\"$SYSTEMCTL_EXEC\" start 'syslogng.service'\n\"$SYSTEMCTL_EXEC\" enable 'syslogng.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'syslogng.service'\n\"$SYSTEMCTL_EXEC\" start 'syslogng.service'\n\"$SYSTEMCTL_EXEC\" enable 'syslogng.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -123038,67 +123038,67 @@ { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -123157,11 +123157,11 @@ } ], "id": "service_timesyncd_enabled", - "title": "undefined title", + "title": "Enable systemd_timesyncd Service", "desc": "Theservice can be enabled with the following command:", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'systemd-timesyncd.service'\n\"$SYSTEMCTL_EXEC\" start 'systemd-timesyncd.service'\n\"$SYSTEMCTL_EXEC\" enable 'systemd-timesyncd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\n\"$SYSTEMCTL_EXEC\" unmask 'systemd-timesyncd.service'\n\"$SYSTEMCTL_EXEC\" start 'systemd-timesyncd.service'\n\"$SYSTEMCTL_EXEC\" enable 'systemd-timesyncd.service'\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -123249,265 +123249,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -123614,7 +123614,7 @@ } ], "id": "set_ip6tables_default_rule", - "title": "undefined title", + "title": "Set Default ip6tables Policy for Incoming Packets", "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:If changes were required, reload the ip6tables rules:", "impact": 0.5, "descs": { @@ -123706,265 +123706,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -124047,7 +124047,7 @@ } ], "id": "set_iptables_default_rule", - "title": "undefined title", + "title": "Set Default iptables Policy for Incoming Packets", "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:", "impact": 0.5, "descs": { @@ -124133,265 +124133,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -124474,7 +124474,7 @@ } ], "id": "set_iptables_default_rule_forward", - "title": "undefined title", + "title": "Set Default iptables Policy for Forwarded Packets", "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in FORWARD chain which processes packets that will be forwarded from\none interface to another,\nadd or correct the following line in:", "impact": 0.5, "descs": { @@ -124583,145 +124583,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -124840,7 +124840,7 @@ } ], "id": "set_password_hashing_algorithm_logindefs", - "title": "undefined title", + "title": "Set Password Hashing Algorithm in /etc/login.defs", "desc": "In, add or correct the following line to ensure\nthe system will use SHA-512 as the hashing algorithm:", "impact": 0.5, "descs": {} @@ -124887,11 +124887,11 @@ } ], "id": "smartcard_configure_ca", - "title": "undefined title", + "title": "Configure Smart Card Certificate Authority Validation", "desc": "Configure the operating system to do certificate status checking for PKI\nauthentication. Modify all of thelines into includelike so:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv \"ca\"; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv \"ca\"; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -124954,11 +124954,11 @@ } ], "id": "smartcard_configure_cert_checking", - "title": "undefined title", + "title": "Configure Smart Card Certificate Status Checking", "desc": "Configure the operating system to do certificate status checking for PKI\nauthentication. Modify all of thelines into includelike so:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv \"oscp_on\"; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv \"oscp_on\"; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -124991,11 +124991,11 @@ } ], "id": "smartcard_configure_crl", - "title": "undefined title", + "title": "Configure Smart Card Local Cache of Revocation Data", "desc": "Configure the operating system for PKI-based authentication to use\nlocal revocation data when unable to access the network to obtain it\nremotely. Modify all of thelines into includeorlike so:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -Eqv 'crl_auto|crl_offline'; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on,crl_auto;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then\n cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nif grep -v \"^\\s*\\#+cert_policy\" /etc/pam_pkcs11/pam_pkcs11.conf | grep -Eqv 'crl_auto|crl_offline'; then\n sed -i \"s/\\(^[[:blank:]]*\\)\\(\\(\\#*[[:blank:]]*cert_policy[[:blank:]]*=[[:blank:]]*.*;\\)[^ $]*\\)/\\1cert_policy = ca,signature,ocsp_on,crl_auto;/\" /etc/pam_pkcs11/pam_pkcs11.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -125112,11 +125112,11 @@ } ], "id": "smartcard_pam_enabled", - "title": "undefined title", + "title": "Enable Smart Card Logins in PAM", "desc": "This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the\npurpose of configuring the device itself (management).\n\nCheck that theoption is configured in thefile with the following command:For general information about enabling smart card authentication, consult\nthe documentation at:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_pkcs11.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"[success=2 default=ignore])[[:alnum:]]+\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_pkcs11.so)/\\\\1[success=2 default=ignore]\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s+(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s)=[^[:space:]]*/\\\\1${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\s(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so[^\\\\n]*)/\\\\1 ${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s+${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth [success=2 default=ignore] pam_pkcs11.so ${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/pam.d/common-auth\" ] ; then\n valueRegex=\"\" defaultValue=\"\"\n # non-empty values need to be preceded by an equals sign\n [ -n \"${valueRegex}\" ] && valueRegex=\"=${valueRegex}\"\n # add an equals sign to non-empty values\n [ -n \"${defaultValue}\" ] && defaultValue=\"=${defaultValue}\"\n\n # fix 'type' if it's wrong\n if grep -q -P \"^\\\\s*(?\"'!'\"auth\\\\s)[[:alnum:]]+\\\\s+[[:alnum:]]+\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*)[[:alnum:]]+(\\\\s+[[:alnum:]]+\\\\s+pam_pkcs11.so)/\\\\1auth\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix 'control' if it's wrong\n if grep -q -P \"^\\\\s*auth\\\\s+(?\"'!'\"[success=2 default=ignore])[[:alnum:]]+\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+)[[:alnum:]]+(\\\\s+pam_pkcs11.so)/\\\\1[success=2 default=ignore]\\\\2/\" \"/etc/pam.d/common-auth\"\n fi\n\n # fix the value for 'option' if one exists but does not match 'valueRegex'\n if grep -q -P \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s+(?\"'!'\"${valueRegex}(\\\\s|\\$))\" < \"/etc/pam.d/common-auth\" ; then\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s)=[^[:space:]]*/\\\\1${defaultValue}/\" \"/etc/pam.d/common-auth\"\n\n # add 'option=default' if option is not set\n elif grep -q -E \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" &&\n grep -E \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so\" < \"/etc/pam.d/common-auth\" | grep -q -E -v \"\\\\s(=|\\\\s|\\$)\" ; then\n\n sed --follow-symlinks -i -E -e \"s/^(\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so[^\\\\n]*)/\\\\1 ${defaultValue}/\" \"/etc/pam.d/common-auth\"\n # add a new entry if none exists\n elif ! grep -q -P \"^\\\\s*auth\\\\s+[success=2 default=ignore]\\\\s+pam_pkcs11.so(\\\\s.+)?\\\\s+${valueRegex}(\\\\s|\\$)\" < \"/etc/pam.d/common-auth\" ; then\n echo \"auth [success=2 default=ignore] pam_pkcs11.so ${defaultValue}\" >> \"/etc/pam.d/common-auth\"\n fi\nelse\n echo \"/etc/pam.d/common-auth doesn't exist\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -125299,217 +125299,217 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -125706,7 +125706,7 @@ } ], "id": "sshd_allow_only_protocol2", - "title": "undefined title", + "title": "Allow Only SSH Protocol 2", "desc": "Only SSH protocol version 2 connections should be\npermitted. The default setting inis correct, and can be\nverified by ensuring that the following\nline appears:", "impact": 0.7, "descs": {} @@ -125813,19 +125813,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -125902,7 +125902,7 @@ } ], "id": "sshd_disable_compression", - "title": "undefined title", + "title": "Disable Compression Or Set Compression to delayed", "desc": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in thefile:", "impact": 0.5, "descs": {} @@ -126130,277 +126130,277 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -126669,11 +126669,11 @@ } ], "id": "sshd_disable_empty_passwords", - "title": "undefined title", + "title": "Disable SSH Access via Empty Passwords", "desc": "To explicitly disallow SSH login from accounts with\nempty passwords, add or correct the following line in:Any accounts with empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitEmptyPasswords\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitEmptyPasswords no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitEmptyPasswords no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitEmptyPasswords\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitEmptyPasswords no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitEmptyPasswords no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -126809,19 +126809,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -126910,11 +126910,11 @@ } ], "id": "sshd_disable_gssapi_auth", - "title": "undefined title", + "title": "Disable GSSAPI Authentication", "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or\ncorrect the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*GSSAPIAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"GSSAPIAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"GSSAPIAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*GSSAPIAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"GSSAPIAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"GSSAPIAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -127050,19 +127050,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -127151,11 +127151,11 @@ } ], "id": "sshd_disable_kerb_auth", - "title": "undefined title", + "title": "Disable Kerberos Authentication", "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos. To disable Kerberos authentication, add\nor correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*KerberosAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"KerberosAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"KerberosAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*KerberosAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"KerberosAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"KerberosAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -127169,11 +127169,11 @@ }, "refs": [], "id": "sshd_disable_pubkey_auth", - "title": "undefined title", + "title": "Disable PubkeyAuthentication Authentication", "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms. To disable PubkeyAuthentication authentication, add or\ncorrect the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PubkeyAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PubkeyAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PubkeyAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PubkeyAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PubkeyAuthentication no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PubkeyAuthentication no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -127327,271 +127327,271 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -127740,11 +127740,11 @@ } ], "id": "sshd_disable_rhosts", - "title": "undefined title", + "title": "Disable SSH Support for .rhosts Files", "desc": "SSH can emulate the behavior of the obsolete rsh\ncommand in allowing users to enable insecure access to their\naccounts viafiles.To ensure this behavior is disabled, add or correct the\nfollowing line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*IgnoreRhosts\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"IgnoreRhosts yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"IgnoreRhosts yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*IgnoreRhosts\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"IgnoreRhosts yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"IgnoreRhosts yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -127849,19 +127849,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -127944,7 +127944,7 @@ } ], "id": "sshd_disable_rhosts_rsa", - "title": "undefined title", + "title": "Disable SSH Support for Rhosts RSA Authentication", "desc": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.To ensure this behavior is disabled, add or correct the\nfollowing line in:", "impact": 0.5, "descs": {} @@ -128166,259 +128166,259 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -128789,11 +128789,11 @@ } ], "id": "sshd_disable_root_login", - "title": "undefined title", + "title": "Disable SSH Root Login", "desc": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line\nin:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitRootLogin\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitRootLogin no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitRootLogin no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitRootLogin\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitRootLogin no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitRootLogin no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -128807,11 +128807,11 @@ }, "refs": [], "id": "sshd_disable_root_password_login", - "title": "undefined title", + "title": "Disable SSH root Login with a Password (Insecure)", "desc": "To disable password-based root logins over SSH, add or correct the following\nline in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitRootLogin\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitRootLogin prohibit-password\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitRootLogin prohibit-password\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitRootLogin\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitRootLogin prohibit-password\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitRootLogin prohibit-password\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -128832,11 +128832,11 @@ } ], "id": "sshd_disable_tcp_forwarding", - "title": "undefined title", + "title": "Disable SSH TCP Forwarding", "desc": "Theparameter specifies whether TCP forwarding is permitted.\nTo disable TCP forwarding, add or correct the\nfollowing line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*AllowTcpForwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"AllowTcpForwarding no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"AllowTcpForwarding no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*AllowTcpForwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"AllowTcpForwarding no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"AllowTcpForwarding no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -128942,19 +128942,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -129037,11 +129037,11 @@ } ], "id": "sshd_disable_user_known_hosts", - "title": "undefined title", + "title": "Disable SSH Support for User Known Hosts", "desc": "SSH can allow system users to connect to systems if a cache of the remote\nsystems public keys is available. This should be disabled.To ensure this behavior is disabled, add or correct the\nfollowing line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*IgnoreUserKnownHosts\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"IgnoreUserKnownHosts yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"IgnoreUserKnownHosts yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*IgnoreUserKnownHosts\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"IgnoreUserKnownHosts yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"IgnoreUserKnownHosts yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -129086,11 +129086,11 @@ } ], "id": "sshd_disable_x11_forwarding", - "title": "undefined title", + "title": "Disable X11 Forwarding", "desc": "The X11Forwarding parameter provides the ability to tunnel X11 traffic\nthrough the connection to enable remote graphic connections.\nSSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To disable X11 Forwarding, add or correct the\nfollowing line in:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11Forwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11Forwarding no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11Forwarding no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11Forwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11Forwarding no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11Forwarding no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -129208,19 +129208,19 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -129303,11 +129303,11 @@ } ], "id": "sshd_do_not_permit_user_env", - "title": "undefined title", + "title": "Do Not Allow SSH Environment Options", "desc": "To ensure users are not able to override environment\nvariables of the SSH daemon, add or correct the following line\nin:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitUserEnvironment\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitUserEnvironment no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitUserEnvironment no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PermitUserEnvironment\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PermitUserEnvironment no\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PermitUserEnvironment no\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -129321,11 +129321,11 @@ }, "refs": [], "id": "sshd_enable_gssapi_auth", - "title": "undefined title", + "title": "Enable GSSAPI Authentication", "desc": "Sites setup to use Kerberos or other GSSAPI Authenticaion require setting\nsshd to accept this authentication.\nTo enable GSSAPI authentication, add or correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*GSSAPIAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"GSSAPIAuthentication yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"GSSAPIAuthentication yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*GSSAPIAuthentication\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"GSSAPIAuthentication yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"GSSAPIAuthentication yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -129461,19 +129461,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -129706,11 +129706,11 @@ } ], "id": "sshd_enable_strictmodes", - "title": "undefined title", + "title": "Enable Use of Strict Mode Checking", "desc": "SSHsoption checks file and ownership permissions in\nthe user's home directoryfolder before accepting login. If world-\nwritable permissions are found, logon is rejected. To enablein SSH,\nadd or correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*StrictModes\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"StrictModes yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"StrictModes yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*StrictModes\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"StrictModes yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"StrictModes yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -129858,97 +129858,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -130043,11 +130043,11 @@ } ], "id": "sshd_enable_warning_banner", - "title": "undefined title", + "title": "Enable SSH Warning Banner", "desc": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*Banner\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"Banner /etc/issue\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"Banner /etc/issue\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*Banner\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"Banner /etc/issue\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"Banner /etc/issue\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -130189,25 +130189,25 @@ { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -130320,11 +130320,11 @@ } ], "id": "sshd_enable_x11_forwarding", - "title": "undefined title", + "title": "Enable Encrypted X11 Forwarding", "desc": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To enable X11 Forwarding, add or correct the\nfollowing line in:", "impact": 0.7, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11Forwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11Forwarding yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11Forwarding yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11Forwarding\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11Forwarding yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11Forwarding yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -130429,253 +130429,253 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -130818,7 +130818,7 @@ } ], "id": "sshd_limit_user_access", - "title": "undefined title", + "title": "Limit Users' SSH Access", "desc": "By default, the SSH configuration allows any user with an account\nto access the system. In order to specify the users that are allowed to login\nvia SSH and deny all other users, add or correct the following line in thefile:Whereandare valid user names.", "impact": 0.5, "descs": {} @@ -130884,97 +130884,97 @@ { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -131045,11 +131045,11 @@ } ], "id": "sshd_print_last_log", - "title": "undefined title", + "title": "Enable SSH Print Last Log", "desc": "When enabled, SSH will display the date and time of the last\nsuccessful account logon. To enable LastLog in\nSSH, add or correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PrintLastLog\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PrintLastLog yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PrintLastLog yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*PrintLastLog\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"PrintLastLog yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"PrintLastLog yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -131088,11 +131088,11 @@ } ], "id": "sshd_rekey_limit", - "title": "undefined title", + "title": "Force frequent session key renegotiation", "desc": "Theparameter specifies how often\nthe session key of the is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed. To decrease the default limits, put lineto file.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_rekey_limit_size=\"\"\n\nvar_rekey_limit_time=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*RekeyLimit\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_rekey_limit_size=\"\"\n\nvar_rekey_limit_time=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*RekeyLimit\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -131288,163 +131288,163 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -131731,11 +131731,11 @@ } ], "id": "sshd_set_idle_timeout", - "title": "undefined title", + "title": "Set SSH Idle Timeout Interval", "desc": "SSH allows administrators to set an idle timeout interval. After this interval\nhas passed, the idle user will be automatically logged out.To set an idle timeout interval, edit the following line inas\nfollows:The timeoutis given in seconds. For example, have a timeout\nof 10 minutes, setto 600.If a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made in. Keep in mind that\nsome processes may stop SSH from correctly detecting that the user is idle.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsshd_idle_timeout_value=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveInterval\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsshd_idle_timeout_value=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveInterval\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -131967,163 +131967,163 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -132386,11 +132386,11 @@ } ], "id": "sshd_set_keepalive", - "title": "undefined title", + "title": "Set SSH Client Alive Count Max", "desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered idle\nand terminated.\nFor SSH earlier than v8.2, avalue ofcauses an idle timeout precisely when theis set.\nStarting with v8.2, a value ofdisables the timeout functionality\ncompletely. If the option is set to a number greater than, then\nthe idle session will be disconnected afterseconds.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_set_keepalive=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveCountMax\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveCountMax $var_sshd_set_keepalive\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveCountMax $var_sshd_set_keepalive\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_set_keepalive=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveCountMax\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveCountMax $var_sshd_set_keepalive\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveCountMax $var_sshd_set_keepalive\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -132616,163 +132616,163 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -133029,11 +133029,11 @@ } ], "id": "sshd_set_keepalive_0", - "title": "undefined title", + "title": "Set SSH Client Alive Count Max to zero", "desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered idle\nand terminated.\n\nTo ensure the SSH idle timeout occurs precisely when theis set, set theto\nvalue of.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveCountMax\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveCountMax 0\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveCountMax 0\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveCountMax\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveCountMax 0\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveCountMax 0\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -133066,11 +133066,11 @@ } ], "id": "sshd_set_loglevel_info", - "title": "undefined title", + "title": "Set LogLevel to INFO", "desc": "The INFO parameter specifices that record login and logout activity will be logged.\nTo specify the log level in\nSSH, add or correct the following line in thefile:", "impact": 0.3, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*LogLevel\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"LogLevel INFO\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"LogLevel INFO\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*LogLevel\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"LogLevel INFO\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"LogLevel INFO\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -133121,11 +133121,11 @@ } ], "id": "sshd_set_loglevel_verbose", - "title": "undefined title", + "title": "Set SSH Daemon LogLevel to VERBOSE", "desc": "Theparameter configures the SSH daemon to record login and logout activity.\nTo specify the log level in\nSSH, add or correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*LogLevel\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"LogLevel VERBOSE\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"LogLevel VERBOSE\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*LogLevel\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"LogLevel VERBOSE\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"LogLevel VERBOSE\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -133145,7 +133145,7 @@ } ], "id": "sshd_set_max_auth_tries", - "title": "undefined title", + "title": "Set SSH authentication attempt limit", "desc": "Theparameter specifies the maximum number of authentication attempts\npermitted per connection. Once the number of failures reaches half this value, additional failures are logged.\nto set MaxAUthTries editas follows:", "impact": 0.5, "descs": {} @@ -133168,11 +133168,11 @@ } ], "id": "sshd_set_max_sessions", - "title": "undefined title", + "title": "Set SSH MaxSessions limit", "desc": "Theparameter specifies the maximum number of open sessions permitted\nfrom a given connection. To set MaxSessions editas follows:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_max_sessions=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*MaxSessions\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"MaxSessions $var_sshd_max_sessions\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"MaxSessions $var_sshd_max_sessions\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_max_sessions=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*MaxSessions\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"MaxSessions $var_sshd_max_sessions\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"MaxSessions $var_sshd_max_sessions\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -133193,11 +133193,11 @@ } ], "id": "sshd_set_maxstartups", - "title": "undefined title", + "title": "Ensure SSH MaxStartups is configured", "desc": "The MaxStartups parameter specifies the maximum number of concurrent\nunauthenticated connections to the SSH daemon. Additional connections will be\ndropped until authentication succeeds or the LoginGraceTime expires for a\nconnection. To confgure MaxStartups, you should add or correct the following\nline in thefile:CIS recommends a MaxStartups value of '10:30:60', or more restrictive where\ndictated by site policy.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_set_maxstartups=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*MaxStartups\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"MaxStartups $var_sshd_set_maxstartups\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"MaxStartups $var_sshd_set_maxstartups\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_set_maxstartups=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*MaxStartups\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"MaxStartups $var_sshd_set_maxstartups\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"MaxStartups $var_sshd_set_maxstartups\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -133494,385 +133494,385 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.3.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.4.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -134207,7 +134207,7 @@ } ], "id": "sshd_use_approved_ciphers", - "title": "undefined title", + "title": "Use Only FIPS 140-2 Validated Ciphers", "desc": "Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.\nThe following line indemonstrates use of FIPS-approved ciphers:The man pagecontains a list of supported ciphers.\n\nThe rule is parametrized to use the following ciphers:.", "impact": 0.5, "descs": {} @@ -134301,7 +134301,7 @@ } ], "id": "sshd_use_approved_ciphers_ordered_stig", - "title": "undefined title", + "title": "Use Only FIPS 140-2 Validated Ciphers", "desc": "Limit the ciphers to those algorithms which are FIPS-approved.\nThe following line indemonstrates use of FIPS-approved ciphers:This rule ensures that there are configured ciphers mentioned\nabove (or their subset), keeping the given order of algorithms.", "impact": 0.5, "descs": {} @@ -134504,133 +134504,133 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -134917,7 +134917,7 @@ } ], "id": "sshd_use_approved_macs", - "title": "undefined title", + "title": "Use Only FIPS 140-2 Validated MACs", "desc": "Limit the MACs to those hash algorithms which are FIPS-approved.\nThe following line indemonstrates use of FIPS-approved MACs:The man pagecontains a list of supported MACs.\n\nThe rule is parametrized to use the following MACs:.", "impact": 0.5, "descs": {} @@ -134987,7 +134987,7 @@ } ], "id": "sshd_use_approved_macs_ordered_stig", - "title": "undefined title", + "title": "Use Only FIPS 140-2 Validated MACs", "desc": "Limit the MACs to those hash algorithms which are FIPS-approved.\nThe following line indemonstrates use of FIPS-approved MACs:This rule ensures that there are configured MACs mentioned\nabove (or their subset), keeping the given order of algorithms.", "impact": 0.5, "descs": {} @@ -135125,19 +135125,19 @@ { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -135370,11 +135370,11 @@ } ], "id": "sshd_use_priv_separation", - "title": "undefined title", + "title": "Enable Use of Privilege Separation", "desc": "When enabled, SSH will create an unprivileged child process that\nhas the privilege of the authenticated user. To enable privilege separation in\nSSH, add or correct the following line in thefile:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_priv_separation=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*UsePrivilegeSeparation\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"UsePrivilegeSeparation $var_sshd_priv_separation\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"UsePrivilegeSeparation $var_sshd_priv_separation\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nvar_sshd_priv_separation=\"\"\n\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*UsePrivilegeSeparation\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"UsePrivilegeSeparation $var_sshd_priv_separation\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"UsePrivilegeSeparation $var_sshd_priv_separation\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -135413,11 +135413,11 @@ } ], "id": "sshd_x11_use_localhost", - "title": "undefined title", + "title": "Prevent remote hosts from connecting to the proxy display", "desc": "The SSH daemon should prevent remote hosts from connecting to the proxy\ndisplay. Make sure that the optionis set towithin the SSH server configuration file.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11UseLocalhost\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11UseLocalhost yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11UseLocalhost yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*X11UseLocalhost\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"X11UseLocalhost yes\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"X11UseLocalhost yes\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -135504,145 +135504,145 @@ { "ref": "4.3.3.2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -135749,7 +135749,7 @@ } ], "id": "sssd_offline_cred_expiration", - "title": "undefined title", + "title": "Configure SSSD to Expire Offline Credentials", "desc": "SSSD should be configured to expire offline credentials after 1 day.\nTo configure SSSD to expire offline credentials, settounder thesection in. For example:", "impact": 0.5, "descs": {} @@ -135772,11 +135772,11 @@ } ], "id": "sudo_add_noexec", - "title": "undefined title", + "title": "Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC", "desc": "The sudotag, when specified, prevents user executed\ncommands from executing other commands, like a shell for example.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.", "impact": 0.7, "descs": { - "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\bnoexec\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option noexec\n echo \"Defaults noexec\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" + "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\bnoexec\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option noexec\n echo \"Defaults noexec\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" } }, { @@ -135797,11 +135797,11 @@ } ], "id": "sudo_add_requiretty", - "title": "undefined title", + "title": "Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty", "desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.", "impact": 0.5, "descs": { - "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\brequiretty\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option requiretty\n echo \"Defaults requiretty\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" + "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\brequiretty\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option requiretty\n echo \"Defaults requiretty\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" } }, { @@ -135828,11 +135828,11 @@ } ], "id": "sudo_add_use_pty", - "title": "undefined title", + "title": "Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty", "desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.", "impact": 0.5, "descs": { - "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\buse_pty\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option use_pty\n echo \"Defaults use_pty\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" + "fix": "if /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\buse_pty\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option use_pty\n echo \"Defaults use_pty\" >> /etc/sudoers\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" } }, { @@ -135853,11 +135853,11 @@ } ], "id": "sudo_custom_logfile", - "title": "undefined title", + "title": "Ensure Sudo Logfile Exists - sudo logfile", "desc": "A custom log sudo file can be configured with the 'logfile' tag. This rule configures\na sudo custom logfile at the default location suggested by CIS, which uses\n/var/log/sudo.log.", "impact": 0.3, "descs": { - "fix": "var_sudo_logfile=\"\"\n\n\n\nif /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\blogfile=(\"(?:\\\\\"|\\\\\\\\|[^\"\\\\\\n])*\"\\B|[^\"](?:(?:\\\\,|\\\\\"|\\\\ |\\\\\\\\|[^\", \\\\\\n])*)\\b)\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option logfile\n echo \"Defaults logfile=${var_sudo_logfile}\" >> /etc/sudoers\n else\n # sudoers file defines Option logfile, remediate if appropriate value is not set\n if ! grep -P \"^[\\s]*Defaults.*\\blogfile=${var_sudo_logfile}\\b.*$\" /etc/sudoers; then\n \n sed -Ei \"s/(^[\\s]*Defaults.*\\blogfile=)[-]?\\w+(\\b.*$)/\\1${var_sudo_logfile}\\2/\" /etc/sudoers\n fi\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" + "fix": "var_sudo_logfile=\"\"\n\n\n\nif /usr/sbin/visudo -qcf /etc/sudoers; then\n cp /etc/sudoers /etc/sudoers.bak\n if ! grep -P '^[\\s]*Defaults.*\\blogfile=(\"(?:\\\\\"|\\\\\\\\|[^\"\\\\\\n])*\"\\B|[^\"](?:(?:\\\\,|\\\\\"|\\\\ |\\\\\\\\|[^\", \\\\\\n])*)\\b)\\b.*$' /etc/sudoers; then\n # sudoers file doesn't define Option logfile\n echo \"Defaults logfile=${var_sudo_logfile}\" >> /etc/sudoers\n else\n # sudoers file defines Option logfile, remediate if appropriate value is not set\n if ! grep -P \"^[\\s]*Defaults.*\\blogfile=${var_sudo_logfile}\\b.*$\" /etc/sudoers; then\n \n sed -Ei \"s/(^[\\s]*Defaults.*\\blogfile=)[-]?\\w+(\\b.*$)/\\1${var_sudo_logfile}\\2/\" /etc/sudoers\n fi\n fi\n \n # Check validity of sudoers and cleanup bak\n if /usr/sbin/visudo -qcf /etc/sudoers; then\n rm -f /etc/sudoers.bak\n else\n echo \"Fail to validate remediated /etc/sudoers, reverting to original file.\"\n mv /etc/sudoers.bak /etc/sudoers\n false\n fi\nelse\n echo \"Skipping remediation, /etc/sudoers failed to validate\"\n false\nfi" } }, { @@ -135945,115 +135945,115 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -136154,11 +136154,11 @@ } ], "id": "sudo_remove_no_authenticate", - "title": "undefined title", + "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate", "desc": "The sudooption, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that theoption does not exist inconfiguration file or\nany sudo configuration snippets in.", "impact": 0.5, "descs": { - "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+\\!authenticate.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"!authenticate\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" + "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+\\!authenticate.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"!authenticate\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" } }, { @@ -136246,115 +136246,115 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -136455,11 +136455,11 @@ } ], "id": "sudo_remove_nopasswd", - "title": "undefined title", + "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD", "desc": "The sudotag, when specified, allows a user to execute\ncommands using sudo without having to authenticate. This should be disabled\nby making sure that thetag does not exist inconfiguration file or any sudo configuration snippets\nin.", "impact": 0.5, "descs": { - "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+NOPASSWD[\\s]*\\:.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"NOPASSWD\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" + "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+NOPASSWD[\\s]*\\:.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"NOPASSWD\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" } }, { @@ -136535,115 +136535,115 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -136738,11 +136738,11 @@ } ], "id": "sudo_require_authentication", - "title": "undefined title", + "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo", "desc": "The sudoandoption, when\nspecified, allows a user to execute commands using sudo without having to\nauthenticate. This should be disabled by making sure thatand/ordo not exist inconfiguration file or any sudo configuration snippets\nin.\"", "impact": 0.5, "descs": { - "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+NOPASSWD[\\s]*\\:.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"NOPASSWD\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone\n\nfor f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+\\!authenticate.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"!authenticate\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" + "fix": "for f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+NOPASSWD[\\s]*\\:.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"NOPASSWD\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone\n\nfor f in /etc/sudoers /etc/sudoers.d/* ; do\n if [ ! -e \"$f\" ] ; then\n continue\n fi\n matching_list=$(grep -P '^(?!#).*[\\s]+\\!authenticate.*$' $f | uniq )\n if ! test -z \"$matching_list\"; then\n while IFS= read -r entry; do\n # comment out \"!authenticate\" matches to preserve user data\n sed -i \"s/^${entry}$/# &/g\" $f\n done <<< \"$matching_list\"\n\n /usr/sbin/visudo -cf $f &> /dev/null || echo \"Fail to validate $f with visudo\"\n fi\ndone" } }, { @@ -136755,7 +136755,7 @@ }, "refs": [], "id": "sudo_vdsm_nopasswd", - "title": "undefined title", + "title": "Only the VDSM User Can Use sudo NOPASSWD", "desc": "The sudotag, when specified, allows a user to execute commands using sudo without having to authenticate. Only theuser should have this capability in any sudo configuration snippets in.", "impact": 0.5, "descs": {} @@ -136777,7 +136777,7 @@ } ], "id": "sudoers_explicit_command_args", - "title": "undefined title", + "title": "Explicit arguments in sudo specifications", "desc": "All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\nIf the command is supposed to be executed only without arguments, pass \"\" as an argument in the corresponding user specification.", "impact": 0.5, "descs": {} @@ -136799,7 +136799,7 @@ } ], "id": "sudoers_no_command_negation", - "title": "undefined title", + "title": "Don't define allowed commands in sudoers by means of exclusion", "desc": "Policies applied by sudo through the sudoers file should not involve negation.\n\nEach user specification in thefile contains a comma-delimited list of command specifications.\nThe definition can make use glob patterns, as well as of negations.\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.", "impact": 0.5, "descs": {} @@ -136821,7 +136821,7 @@ } ], "id": "sudoers_no_root_target", - "title": "undefined title", + "title": "Don't target root user in the sudoers file", "desc": "The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\n\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), andorshould not be used.", "impact": 0.5, "descs": {} @@ -136922,11 +136922,11 @@ } ], "id": "sysctl_fs_protected_hardlinks", - "title": "undefined title", + "title": "Enable Kernel Parameter to Enforce DAC on Hardlinks", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.protected_hardlinks\n#\n/sbin/sysctl -q -n -w fs.protected_hardlinks=\"1\"\n\n#\n# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"fs.protected_hardlinks = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.protected_hardlinks\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.protected_hardlinks\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.protected_hardlinks\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.protected_hardlinks\n#\n/sbin/sysctl -q -n -w fs.protected_hardlinks=\"1\"\n\n#\n# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"fs.protected_hardlinks = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.protected_hardlinks\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.protected_hardlinks\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.protected_hardlinks\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -137025,11 +137025,11 @@ } ], "id": "sysctl_fs_protected_symlinks", - "title": "undefined title", + "title": "Enable Kernel Parameter to Enforce DAC on Symlinks", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.protected_symlinks\n#\n/sbin/sysctl -q -n -w fs.protected_symlinks=\"1\"\n\n#\n# If fs.protected_symlinks present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"fs.protected_symlinks = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.protected_symlinks\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.protected_symlinks\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.protected_symlinks\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.protected_symlinks\n#\n/sbin/sysctl -q -n -w fs.protected_symlinks=\"1\"\n\n#\n# If fs.protected_symlinks present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"fs.protected_symlinks = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.protected_symlinks\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.protected_symlinks\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.protected_symlinks\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -137110,11 +137110,11 @@ } ], "id": "sysctl_fs_suid_dumpable", - "title": "undefined title", + "title": "Disable Core Dumps for SUID programs", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.suid_dumpable\n#\n/sbin/sysctl -q -n -w fs.suid_dumpable=\"0\"\n\n#\n# If fs.suid_dumpable present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"fs.suid_dumpable = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.suid_dumpable\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.suid_dumpable\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.suid_dumpable\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for fs.suid_dumpable\n#\n/sbin/sysctl -q -n -w fs.suid_dumpable=\"0\"\n\n#\n# If fs.suid_dumpable present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"fs.suid_dumpable = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^fs.suid_dumpable\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^fs.suid_dumpable\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^fs.suid_dumpable\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -137327,11 +137327,11 @@ } ], "id": "sysctl_kernel_kptr_restrict", - "title": "undefined title", + "title": "Restrict Exposed Kernel Pointer Addresses Access", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for kernel.kptr_restrict\n#\n/sbin/sysctl -q -n -w kernel.kptr_restrict=\"1\"\n\n#\n# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"kernel.kptr_restrict = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^kernel.kptr_restrict\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^kernel.kptr_restrict\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^kernel.kptr_restrict\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for kernel.kptr_restrict\n#\n/sbin/sysctl -q -n -w kernel.kptr_restrict=\"1\"\n\n#\n# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"kernel.kptr_restrict = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^kernel.kptr_restrict\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^kernel.kptr_restrict\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^kernel.kptr_restrict\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -137592,11 +137592,11 @@ } ], "id": "sysctl_kernel_randomize_va_space", - "title": "undefined title", + "title": "Enable Randomized Layout of Virtual Address Space", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for kernel.randomize_va_space\n#\n/sbin/sysctl -q -n -w kernel.randomize_va_space=\"2\"\n\n#\n# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to \"2\"\n#\telse, add \"kernel.randomize_va_space = 2\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^kernel.randomize_va_space\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"2\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^kernel.randomize_va_space\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^kernel.randomize_va_space\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for kernel.randomize_va_space\n#\n/sbin/sysctl -q -n -w kernel.randomize_va_space=\"2\"\n\n#\n# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to \"2\"\n#\telse, add \"kernel.randomize_va_space = 2\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^kernel.randomize_va_space\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"2\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^kernel.randomize_va_space\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^kernel.randomize_va_space\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -137798,283 +137798,283 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -138187,11 +138187,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_accept_redirects", - "title": "undefined title", + "title": "Disable Accepting ICMP Redirects for All IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=\"$sysctl_net_ipv4_conf_all_accept_redirects_value\"\n\n#\n# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=\"$sysctl_net_ipv4_conf_all_accept_redirects_value\"\n\n#\n# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -138423,349 +138423,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -139088,11 +139088,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_accept_source_route", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=\"$sysctl_net_ipv4_conf_all_accept_source_route_value\"\n\n#\n# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=\"$sysctl_net_ipv4_conf_all_accept_source_route_value\"\n\n#\n# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -139288,331 +139288,331 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -139767,11 +139767,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_log_martians", - "title": "undefined title", + "title": "Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_log_martians_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.log_martians\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=\"$sysctl_net_ipv4_conf_all_log_martians_value\"\n\n#\n# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.log_martians = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.log_martians\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_log_martians_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.log_martians\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.log_martians\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_log_martians_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.log_martians\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=\"$sysctl_net_ipv4_conf_all_log_martians_value\"\n\n#\n# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.log_martians = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.log_martians\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_log_martians_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.log_martians\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.log_martians\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -139961,91 +139961,91 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -140296,11 +140296,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_rp_filter", - "title": "undefined title", + "title": "Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_rp_filter_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.rp_filter\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=\"$sysctl_net_ipv4_conf_all_rp_filter_value\"\n\n#\n# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.rp_filter = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.rp_filter\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_rp_filter_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.rp_filter\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.rp_filter\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_rp_filter_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.rp_filter\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter=\"$sysctl_net_ipv4_conf_all_rp_filter_value\"\n\n#\n# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.rp_filter = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.rp_filter\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_rp_filter_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.rp_filter\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.rp_filter\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -140538,349 +140538,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -141173,11 +141173,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_secure_redirects", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_secure_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.secure_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=\"$sysctl_net_ipv4_conf_all_secure_redirects_value\"\n\n#\n# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.secure_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.secure_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_secure_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.secure_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.secure_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_all_secure_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.secure_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects=\"$sysctl_net_ipv4_conf_all_secure_redirects_value\"\n\n#\n# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.all.secure_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.secure_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_all_secure_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.secure_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.secure_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -141415,349 +141415,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -142080,11 +142080,11 @@ } ], "id": "sysctl_net_ipv4_conf_all_send_redirects", - "title": "undefined title", + "title": "Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.send_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=\"0\"\n\n#\n# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.conf.all.send_redirects = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.send_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.send_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.send_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.conf.all.send_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=\"0\"\n\n#\n# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.conf.all.send_redirects = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.all.send_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.all.send_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.all.send_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -142328,349 +142328,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -142963,11 +142963,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_accept_redirects", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=\"$sysctl_net_ipv4_conf_default_accept_redirects_value\"\n\n#\n# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=\"$sysctl_net_ipv4_conf_default_accept_redirects_value\"\n\n#\n# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -143211,349 +143211,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -143870,11 +143870,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_accept_source_route", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=\"$sysctl_net_ipv4_conf_default_accept_source_route_value\"\n\n#\n# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=\"$sysctl_net_ipv4_conf_default_accept_source_route_value\"\n\n#\n# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -144064,331 +144064,331 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -144543,11 +144543,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_log_martians", - "title": "undefined title", + "title": "Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_log_martians_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.log_martians\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=\"$sysctl_net_ipv4_conf_default_log_martians_value\"\n\n#\n# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.log_martians = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.log_martians\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_log_martians_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.log_martians\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.log_martians\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_log_martians_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.log_martians\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=\"$sysctl_net_ipv4_conf_default_log_martians_value\"\n\n#\n# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.log_martians = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.log_martians\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_log_martians_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.log_martians\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.log_martians\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -144731,91 +144731,91 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -145066,11 +145066,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_rp_filter", - "title": "undefined title", + "title": "Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_rp_filter_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.rp_filter\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=\"$sysctl_net_ipv4_conf_default_rp_filter_value\"\n\n#\n# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.rp_filter = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.rp_filter\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_rp_filter_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.rp_filter\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.rp_filter\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_rp_filter_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.rp_filter\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter=\"$sysctl_net_ipv4_conf_default_rp_filter_value\"\n\n#\n# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.rp_filter = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.rp_filter\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_rp_filter_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.rp_filter\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.rp_filter\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -145302,349 +145302,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -145961,11 +145961,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_secure_redirects", - "title": "undefined title", + "title": "Configure Kernel Parameter for Accepting Secure Redirects By Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_secure_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.secure_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=\"$sysctl_net_ipv4_conf_default_secure_redirects_value\"\n\n#\n# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.secure_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.secure_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_secure_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.secure_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.secure_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_conf_default_secure_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.secure_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects=\"$sysctl_net_ipv4_conf_default_secure_redirects_value\"\n\n#\n# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.conf.default.secure_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.secure_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_conf_default_secure_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.secure_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.secure_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -146203,349 +146203,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -146868,11 +146868,11 @@ } ], "id": "sysctl_net_ipv4_conf_default_send_redirects", - "title": "undefined title", + "title": "Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.send_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=\"0\"\n\n#\n# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.conf.default.send_redirects = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.send_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.send_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.send_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.conf.default.send_redirects\n#\n/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=\"0\"\n\n#\n# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.conf.default.send_redirects = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.conf.default.send_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.conf.default.send_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.conf.default.send_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -147104,349 +147104,349 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -147757,11 +147757,11 @@ } ], "id": "sysctl_net_ipv4_icmp_echo_ignore_broadcasts", - "title": "undefined title", + "title": "Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts\n#\n/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=\"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value\"\n\n#\n# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.icmp_echo_ignore_broadcasts = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.icmp_echo_ignore_broadcasts\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.icmp_echo_ignore_broadcasts\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.icmp_echo_ignore_broadcasts\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts\n#\n/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=\"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value\"\n\n#\n# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.icmp_echo_ignore_broadcasts = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.icmp_echo_ignore_broadcasts\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.icmp_echo_ignore_broadcasts\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.icmp_echo_ignore_broadcasts\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -147939,283 +147939,283 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -148346,11 +148346,11 @@ } ], "id": "sysctl_net_ipv4_icmp_ignore_bogus_error_responses", - "title": "undefined title", + "title": "Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses\n#\n/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=\"$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value\"\n\n#\n# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.icmp_ignore_bogus_error_responses = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.icmp_ignore_bogus_error_responses\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.icmp_ignore_bogus_error_responses\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.icmp_ignore_bogus_error_responses\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses\n#\n/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=\"$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value\"\n\n#\n# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.icmp_ignore_bogus_error_responses = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.icmp_ignore_bogus_error_responses\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.icmp_ignore_bogus_error_responses\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.icmp_ignore_bogus_error_responses\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -148534,331 +148534,331 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -149025,11 +149025,11 @@ } ], "id": "sysctl_net_ipv4_ip_forward", - "title": "undefined title", + "title": "Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.ip_forward\n#\n/sbin/sysctl -q -n -w net.ipv4.ip_forward=\"0\"\n\n#\n# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.ip_forward = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.ip_forward\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.ip_forward\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.ip_forward\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv4.ip_forward\n#\n/sbin/sysctl -q -n -w net.ipv4.ip_forward=\"0\"\n\n#\n# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to \"0\"\n#\telse, add \"net.ipv4.ip_forward = 0\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.ip_forward\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"0\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.ip_forward\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.ip_forward\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -149225,91 +149225,91 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -149590,11 +149590,11 @@ } ], "id": "sysctl_net_ipv4_tcp_syncookies", - "title": "undefined title", + "title": "Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_tcp_syncookies_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.tcp_syncookies\n#\n/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=\"$sysctl_net_ipv4_tcp_syncookies_value\"\n\n#\n# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.tcp_syncookies = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.tcp_syncookies\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_tcp_syncookies_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.tcp_syncookies\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.tcp_syncookies\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv4_tcp_syncookies_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv4.tcp_syncookies\n#\n/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=\"$sysctl_net_ipv4_tcp_syncookies_value\"\n\n#\n# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv4.tcp_syncookies = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv4.tcp_syncookies\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv4_tcp_syncookies_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv4.tcp_syncookies\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv4.tcp_syncookies\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -149694,265 +149694,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -150035,11 +150035,11 @@ } ], "id": "sysctl_net_ipv6_conf_all_accept_ra", - "title": "undefined title", + "title": "Configure Accepting Router Advertisements on All IPv6 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_ra_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_ra\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra=\"$sysctl_net_ipv6_conf_all_accept_ra_value\"\n\n#\n# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_ra = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_ra\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_ra_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_ra\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_ra\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_ra_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_ra\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra=\"$sysctl_net_ipv6_conf_all_accept_ra_value\"\n\n#\n# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_ra = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_ra\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_ra_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_ra\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_ra\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -150151,265 +150151,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -150504,11 +150504,11 @@ } ], "id": "sysctl_net_ipv6_conf_all_accept_redirects", - "title": "undefined title", + "title": "Disable Accepting ICMP Redirects for All IPv6 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=\"$sysctl_net_ipv6_conf_all_accept_redirects_value\"\n\n#\n# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=\"$sysctl_net_ipv6_conf_all_accept_redirects_value\"\n\n#\n# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -150662,79 +150662,79 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -150955,11 +150955,11 @@ } ], "id": "sysctl_net_ipv6_conf_all_accept_source_route", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route=\"$sysctl_net_ipv6_conf_all_accept_source_route_value\"\n\n#\n# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route=\"$sysctl_net_ipv6_conf_all_accept_source_route_value\"\n\n#\n# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -151053,265 +151053,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -151388,11 +151388,11 @@ } ], "id": "sysctl_net_ipv6_conf_all_disable_ipv6", - "title": "undefined title", + "title": "Disable IPv6 Addressing on All IPv6 Interfaces", "desc": "To disable support for () addressing on all interface add the following line to(or another file in):This disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.disable_ipv6\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6=\"1\"\n\n#\n# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"net.ipv6.conf.all.disable_ipv6 = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.disable_ipv6\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.disable_ipv6\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.disable_ipv6\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.disable_ipv6\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6=\"1\"\n\n#\n# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"net.ipv6.conf.all.disable_ipv6 = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.disable_ipv6\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.disable_ipv6\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.disable_ipv6\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -151564,283 +151564,283 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -151959,11 +151959,11 @@ } ], "id": "sysctl_net_ipv6_conf_all_forwarding", - "title": "undefined title", + "title": "Disable Kernel Parameter for IPv6 Forwarding", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_forwarding_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.forwarding\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=\"$sysctl_net_ipv6_conf_all_forwarding_value\"\n\n#\n# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.forwarding = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.forwarding\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_forwarding_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.forwarding\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.forwarding\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_all_forwarding_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.all.forwarding\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=\"$sysctl_net_ipv6_conf_all_forwarding_value\"\n\n#\n# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.all.forwarding = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.all.forwarding\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_all_forwarding_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.all.forwarding\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.all.forwarding\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -152063,265 +152063,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -152404,11 +152404,11 @@ } ], "id": "sysctl_net_ipv6_conf_default_accept_ra", - "title": "undefined title", + "title": "Disable Accepting Router Advertisements on all IPv6 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_ra_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_ra\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=\"$sysctl_net_ipv6_conf_default_accept_ra_value\"\n\n#\n# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_ra = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_ra\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_ra_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_ra\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_ra\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_ra_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_ra\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra=\"$sysctl_net_ipv6_conf_default_accept_ra_value\"\n\n#\n# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_ra = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_ra\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_ra_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_ra\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_ra\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -152520,265 +152520,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -152861,11 +152861,11 @@ } ], "id": "sysctl_net_ipv6_conf_default_accept_redirects", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=\"$sysctl_net_ipv6_conf_default_accept_redirects_value\"\n\n#\n# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_redirects_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_redirects\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=\"$sysctl_net_ipv6_conf_default_accept_redirects_value\"\n\n#\n# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_redirects = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_redirects\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_redirects_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_redirects\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_redirects\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -153019,79 +153019,79 @@ { "ref": "4.2.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -153324,11 +153324,11 @@ } ], "id": "sysctl_net_ipv6_conf_default_accept_source_route", - "title": "undefined title", + "title": "Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default", "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route=\"$sysctl_net_ipv6_conf_default_accept_source_route_value\"\n\n#\n# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\nsysctl_net_ipv6_conf_default_accept_source_route_value=\"\"\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.accept_source_route\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route=\"$sysctl_net_ipv6_conf_default_accept_source_route_value\"\n\n#\n# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value\n#\telse, add \"net.ipv6.conf.default.accept_source_route = value\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.accept_source_route\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$sysctl_net_ipv6_conf_default_accept_source_route_value\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.accept_source_route\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.accept_source_route\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -153422,265 +153422,265 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -153757,11 +153757,11 @@ } ], "id": "sysctl_net_ipv6_conf_default_disable_ipv6", - "title": "undefined title", + "title": "Disable IPv6 Addressing on IPv6 Interfaces by Default", "desc": "To disable support for () addressing on interfaces by default add the following line to(or another file in):This disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.disable_ipv6\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6=\"1\"\n\n#\n# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"net.ipv6.conf.default.disable_ipv6 = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.disable_ipv6\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.disable_ipv6\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.disable_ipv6\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\n\n\n#\n# Set runtime for net.ipv6.conf.default.disable_ipv6\n#\n/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6=\"1\"\n\n#\n# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to \"1\"\n#\telse, add \"net.ipv6.conf.default.disable_ipv6 = 1\" to /etc/sysctl.conf\n#\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/sysctl.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# If the cce arg is empty, CCE is not assigned.\nif [ -z \"\" ]; then\n cce=\"CCE\"\nelse\n cce=\"\"\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^net.ipv6.conf.default.disable_ipv6\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"1\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^net.ipv6.conf.default.disable_ipv6\\\\>\" \"/etc/sysctl.conf\"; then\n \"${sed_command[@]}\" \"s/^net.ipv6.conf.default.disable_ipv6\\\\>.*/$formatted_output/gi\" \"/etc/sysctl.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n printf '\\n# Per %s: Set %s in %s\\n' \"$cce\" \"$formatted_output\" \"/etc/sysctl.conf\" >> \"/etc/sysctl.conf\"\n printf '%s\\n' \"$formatted_output\" >> \"/etc/sysctl.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -153799,7 +153799,7 @@ } ], "id": "use_pam_wheel_for_su", - "title": "undefined title", + "title": "Enforce usage of pam_wheel for su authentication", "desc": "To ensure that only users who are members of thegroup can\nrun commands with altered privileges through thecommand, make\nsure that the following line exists in the file:", "impact": 0.5, "descs": {} @@ -153846,7 +153846,7 @@ } ], "id": "vlock_installed", - "title": "undefined title", + "title": "Check that vlock is installed to allow session locking", "desc": "The Ubuntu 20.04 operating system must have vlock installed to allow for session locking.\n\n\nThepackage can be installed with the following command:", "impact": 0.5, "descs": { @@ -154004,319 +154004,319 @@ { "ref": "4.3.3.5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.5.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.6.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.3.7.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "4.3.4.3.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731" ] }, { "ref": "SR 1.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.10", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.11", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.12", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.13", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 1.9", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.4", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 2.7", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.5", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 3.8", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 4.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.2", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 5.3", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.1", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { "ref": "SR 7.6", "url": [ - "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" + "https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785" ] }, { @@ -154489,11 +154489,11 @@ } ], "id": "wireless_disable_interfaces", - "title": "undefined title", + "title": "Deactivate Wireless Network Interfaces", "desc": "Deactivating wireless network interfaces should prevent\nnormal usage of the wireless capability.Configure the system to disable all wireless network interfaces with the\nfollowing command:", "impact": 0.5, "descs": { - "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nnmcli radio wifi off\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" + "fix": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nnmcli radio wifi off\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi" } }, { @@ -154513,7 +154513,7 @@ } ], "id": "zipl_audit_argument", - "title": "undefined title", + "title": "Enable Auditing to Start Prior to the Audit Daemon in zIPL", "desc": "To ensure all processes can be audited, even those which start prior to the audit daemon,\ncheck that all boot entries inhaveincluded in its options.To ensure that new kernels and boot entries continue to enable audit,\naddto.", "impact": 0.5, "descs": {} @@ -154535,15 +154535,13 @@ } ], "id": "zipl_audit_backlog_limit_argument", - "title": "undefined title", + "title": "Extend Audit Backlog Limit for the Audit Daemon in zIPL", "desc": "To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,\ncheck that all boot entries inhaveincluded in its options.To ensure that new kernels and boot entries continue to extend the audit log events queue,\naddto.", "impact": 0.5, "descs": {} } ], - "name": [ - "UBUNTU_20-04" - ], + "name": "UBUNTU_20-04", "title": "Guide to the Secure Configuration of Ubuntu 20.04", "summary": "This guide presents a catalog of security-relevant configuration settings for Ubuntu 20.04. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in thepackage which is developed at.Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance." } \ No newline at end of file diff --git a/test/sample_data/xccdf/input/CIS/AlmaLinux_Benchmark-xccdf.xml b/test/sample_data/xccdf/input/CIS/AlmaLinux_Benchmark-xccdf.xml index ae0d23c..2cb9d42 100644 --- a/test/sample_data/xccdf/input/CIS/AlmaLinux_Benchmark-xccdf.xml +++ b/test/sample_data/xccdf/input/CIS/AlmaLinux_Benchmark-xccdf.xml @@ -5,46 +5,46 @@ This document provides prescriptive guidance for establishing a secure configuration posture for AlmaLinux OS 9 systems running on x86_64 platforms. This guide was developed and tested against AlmaLinux OS 9.4 -The guidance within broadly assumes that operations are being performed as the root - user, and executed under the default Bash version for the applicable distribution. Operations performed using sudo - instead of the root - user, or executed under another shell, may produce unexpected results, or fail to make the intended changes to the system. Non-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify root - users path integrity and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark. + The guidance within broadly assumes that operations are being performed as the root + user, and executed under the default Bash version for the applicable distribution. Operations performed using sudo + instead of the root + user, or executed under another shell, may produce unexpected results, or fail to make the intended changes to the system. Non-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify root + users path integrity and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark. -The default prompt for the root - user is # -, and as such all sample commands will have # - as an additional indication that it is to be executed as root -. + The default prompt for the root + user is # + , and as such all sample commands will have # + as an additional indication that it is to be executed as root + . -To obtain the latest version of this guide, please visit http://workbench.cisecurity.org -. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org -. + To obtain the latest version of this guide, please visit http://workbench.cisecurity.org + . If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org + . BACKGROUND. - The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. - NO REPRESENTATIONS, WARRANTIES, OR COVENANTS. - CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. USER AGREEMENTS. - By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: - 1. No network, system, device, hardware, software, or component can be made fully secure; - 2. We are using the Products and the Recommendations solely at our own risk; - 3. We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendations, even risks that result from CIS's negligence or failure to perform; - 4. We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; - 5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades, or bug fixes; and - 6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation,loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way Connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. - GRANT OF LIMITED RIGHTS. - CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: - 1. Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; - 2. Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. - RETENTION OF INTELLECTUAL PROPERTY RIGHTS; LIMITATIONS ON DISTRIBUTION. - The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." - Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. - We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development, or maintenance of the Products or Recommendations ("CIS Parties") harmless from and against any and all liability, losses, costs, and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. SPECIAL RULES. - CIS has created and will from time to time create, special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. - CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member, but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products and Recommendations within such Member's own organization, whether by manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of such Member's membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time. - CHOICE OF LAW; JURISDICTION; VENUE. - We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland, that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. - BY USING THE PRODUCTS I(WE) ACKNOWLEDGE THAT WE HAVE READ THESE AGREED TERMS OF USE IN THEIR ENTIRETY, UNDERSTAND THEM, AND I(WE) AGREE TO BE BOUND BY THEM IN ALL RESPECTS. + The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. + NO REPRESENTATIONS, WARRANTIES, OR COVENANTS. + CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. USER AGREEMENTS. + By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: + 1. No network, system, device, hardware, software, or component can be made fully secure; + 2. We are using the Products and the Recommendations solely at our own risk; + 3. We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendations, even risks that result from CIS's negligence or failure to perform; + 4. We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; + 5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades, or bug fixes; and + 6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation,loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way Connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. + GRANT OF LIMITED RIGHTS. + CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: + 1. Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; + 2. Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. + RETENTION OF INTELLECTUAL PROPERTY RIGHTS; LIMITATIONS ON DISTRIBUTION. + The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." + Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. + We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development, or maintenance of the Products or Recommendations ("CIS Parties") harmless from and against any and all liability, losses, costs, and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. SPECIAL RULES. + CIS has created and will from time to time create, special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. + CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member, but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products and Recommendations within such Member's own organization, whether by manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of such Member's membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time. + CHOICE OF LAW; JURISDICTION; VENUE. + We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland, that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. + BY USING THE PRODUCTS I(WE) ACKNOWLEDGE THAT WE HAVE READ THESE AGREED TERMS OF USE IN THEIR ENTIRETY, UNDERSTAND THEM, AND I(WE) AGREE TO BE BOUND BY THEM IN ALL RESPECTS. 2.0.0 @@ -3059,40 +3059,40 @@ To obtain the latest version of this guide, please visit /usr/lib/modules/$(uname -r)/kernel/fs + : This should not be considered a comprehensive list of filesystems. You may wish to consider additions to those listed here for your environment. For the current available file system modules on the system see /usr/lib/modules/$(uname -r)/kernel/fs Start up scripts -Kernel modules loaded directly via insmod - will ignore what is configured in the relevant /etc/modprobe.d/*.conf - files. If modules are still being loaded after a reboot whilst having the correctly configured blacklist - and install - command, check for insmod - entries in start up scripts such as .bashrc -. + Kernel modules loaded directly via insmod + will ignore what is configured in the relevant /etc/modprobe.d/*.conf + files. If modules are still being loaded after a reboot whilst having the correctly configured blacklist + and install + command, check for insmod + entries in start up scripts such as .bashrc + . -You may also want to check /lib/modprobe.d/ -. Please note that this directory should not be used for user defined module loading. Ensure that all such entries resides in /etc/modprobe.d/*.conf - files. + You may also want to check /lib/modprobe.d/ + . Please note that this directory should not be used for user defined module loading. Ensure that all such entries resides in /etc/modprobe.d/*.conf + files. Return values -Using /bin/false - as the command in disabling a particular module serves two purposes; to convey the meaning of the entry to the user and cause a non-zero return value. The latter can be tested for in scripts. Please note that insmod - will ignore what is configured in the relevant /etc/modprobe.d/*.conf - files. The preferred way to load modules is with modprobe -. + Using /bin/false + as the command in disabling a particular module serves two purposes; to convey the meaning of the entry to the user and cause a non-zero return value. The latter can be tested for in scripts. Please note that insmod + will ignore what is configured in the relevant /etc/modprobe.d/*.conf + files. The preferred way to load modules is with modprobe + . Ensure cramfs kernel module is not available -The cramfs - filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs - image can be used without having to first decompress the image. + The cramfs + filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs + image can be used without having to first decompress the image. @@ -3123,74 +3123,74 @@ The cramfs -Run the following script to unload and disable the cramfs - module: + Run the following script to unload and disable the cramfs + module: - IF - - the cramfs - kernel module is available in ANY installed kernel: + the cramfs + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install cramfs /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install cramfs /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist cramfs - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist cramfs + in the /etc/modprobe.d/ + directory -Run modprobe -r cramfs 2>/dev/null; rmmod cramfs 2>/dev/null - to remove cramfs - from the kernel + Run modprobe -r cramfs 2>/dev/null; rmmod cramfs 2>/dev/null + to remove cramfs + from the kernel - IF - - the cramfs - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the cramfs + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="cramfs" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="cramfs" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -3206,8 +3206,8 @@ Run modprobe -r cramfs 2> Ensure freevxfs kernel module is not available -The freevxfs - filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems. + The freevxfs + filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems. @@ -3237,74 +3237,74 @@ The freevxfs -Run the following script to unload and disable the freevxfs - module: + Run the following script to unload and disable the freevxfs + module: - IF - - the freevxfs - kernel module is available in ANY installed kernel: + the freevxfs + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install freevxfs /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install freevxfs /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist freevxfs - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist freevxfs + in the /etc/modprobe.d/ + directory -Run modprobe -r freevxfs 2>/dev/null; rmmod freevxfs 2>/dev/null - to remove freevxfs - from the kernel + Run modprobe -r freevxfs 2>/dev/null; rmmod freevxfs 2>/dev/null + to remove freevxfs + from the kernel - IF - - the freevxfs - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the freevxfs + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="freevxfs" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="freevxfs" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -3320,8 +3320,8 @@ Run modprobe -r freevxfs 2& Ensure hfs kernel module is not available -The hfs - filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems. + The hfs + filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems. @@ -3351,74 +3351,74 @@ The hfs -Run the following script to unload and disable the hfs - module: + Run the following script to unload and disable the hfs + module: - IF - - the hfs - kernel module is available in ANY installed kernel: + the hfs + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install hfs /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install hfs /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist hfs - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist hfs + in the /etc/modprobe.d/ + directory -Run modprobe -r hfs 2>/dev/null; rmmod hfs 2>/dev/null - to remove hfs - from the kernel + Run modprobe -r hfs 2>/dev/null; rmmod hfs 2>/dev/null + to remove hfs + from the kernel - IF - - the hfs - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the hfs + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="hfs" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="hfs" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -3434,9 +3434,9 @@ Run modprobe -r hfs 2>/d Ensure hfsplus kernel module is not available -The hfsplus - filesystem type is a hierarchical filesystem designed to replace hfs - that allows you to mount Mac OS filesystems. + The hfsplus + filesystem type is a hierarchical filesystem designed to replace hfs + that allows you to mount Mac OS filesystems. @@ -3466,74 +3466,74 @@ The hfsplus -Run the following script to unload and disable the hfsplus - module: + Run the following script to unload and disable the hfsplus + module: - IF - - the hfsplus - kernel module is available in ANY installed kernel: + the hfsplus + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install hfsplus /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install hfsplus /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist hfsplus - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist hfsplus + in the /etc/modprobe.d/ + directory -Run modprobe -r hfsplus 2>/dev/null; rmmod hfsplus 2>/dev/null - to remove hfsplus - from the kernel + Run modprobe -r hfsplus 2>/dev/null; rmmod hfsplus 2>/dev/null + to remove hfsplus + from the kernel - IF - - the hfsplus - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the hfsplus + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="hfsplus" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="hfsplus" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -3549,8 +3549,8 @@ Run modprobe -r hfsplus 2&g Ensure jffs2 kernel module is not available -The jffs2 - (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices. + The jffs2 + (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices. @@ -3580,74 +3580,74 @@ The jffs2 -Run the following script to unload and disable the jffs2 - module: + Run the following script to unload and disable the jffs2 + module: - IF - - the jffs2 - kernel module is available in ANY installed kernel: + the jffs2 + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install jffs2 /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install jffs2 /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist jffs2 - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist jffs2 + in the /etc/modprobe.d/ + directory -Run modprobe -r jffs2 2>/dev/null; rmmod jffs2 2>/dev/null - to remove jffs2 - from the kernel + Run modprobe -r jffs2 2>/dev/null; rmmod jffs2 2>/dev/null + to remove jffs2 + from the kernel - IF - - the jffs2 - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the jffs2 + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="jffs2" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="jffs2" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -3663,9 +3663,9 @@ Run modprobe -r jffs2 2> Ensure squashfs kernel module is not available -The squashfs - filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs - image can be used without having to first decompress the image. + The squashfs + filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs + image can be used without having to first decompress the image. @@ -3697,83 +3697,83 @@ The squashfs -Run the following script to unload and disable the udf - module: + Run the following script to unload and disable the udf + module: - IF - - the squashfs - kernel module is available in ANY installed kernel: + the squashfs + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install squashfs /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install squashfs /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist squashfs - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist squashfs + in the /etc/modprobe.d/ + directory -Run modprobe -r squashfs 2>/dev/null; rmmod squashfs 2>/dev/null - to remove squashfs - from the kernel + Run modprobe -r squashfs 2>/dev/null; rmmod squashfs 2>/dev/null + to remove squashfs + from the kernel - IF - - the squashfs - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the squashfs + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="squashfs" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="squashfs" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + Impact: -As Snap packages utilize squashfs - as a compressed filesystem, disabling squashfs - will cause Snap packages to fail. + As Snap packages utilize squashfs + as a compressed filesystem, disabling squashfs + will cause Snap packages to fail. Snap - application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment. + application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment. @@ -3790,8 +3790,8 @@ As Snap packages utilize sq Ensure udf kernel module is not available -The udf - filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. + The udf + filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. @@ -3821,83 +3821,83 @@ The udf -Run the following script to unload and disable the udf - module: + Run the following script to unload and disable the udf + module: - IF - - the udf - kernel module is available in ANY installed kernel: + the udf + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install udf /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install udf /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist udf - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist udf + in the /etc/modprobe.d/ + directory -Run modprobe -r udf 2>/dev/null; rmmod udf 2>/dev/null - to remove udf - from the kernel + Run modprobe -r udf 2>/dev/null; rmmod udf 2>/dev/null + to remove udf + from the kernel - IF - - the udf - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the udf + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="udf" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="udf" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + Impact: -Microsoft Azure requires the usage of udf -. + Microsoft Azure requires the usage of udf + . udf should not - be disabled on systems run on Microsoft Azure. + be disabled on systems run on Microsoft Azure. @@ -3947,82 +3947,82 @@ Microsoft Azure requires the usage of usb-storage - module: + Run the following script to unload and disable the usb-storage + module: - IF - - the usb-storage - kernel module is available in ANY installed kernel: + the usb-storage + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install usb-storage /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install usb-storage /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist usb-storage - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist usb-storage + in the /etc/modprobe.d/ + directory -Run modprobe -r usb-storage 2>/dev/null; rmmod usb-storage 2>/dev/null - to remove usb-storage - from the kernel + Run modprobe -r usb-storage 2>/dev/null; rmmod usb-storage 2>/dev/null + to remove usb-storage + from the kernel - IF - - the usb-storage - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the usb-storage + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="usb-storage" # set module name
- l_mod_type="drivers" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="usb-storage" # set module name
+ l_mod_type="drivers" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + Impact: -Disabling the usb-storage - module will disable any usage of USB storage devices. + Disabling the usb-storage + module will disable any usage of USB storage devices. -If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard -. + If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard + . @@ -4064,40 +4064,40 @@ If requirements and local site policy allow the use of such devices, other solut afs - - CVE-2022-37402 + - CVE-2022-37402 ceph - - CVE-2022-0670 + - CVE-2022-0670 cifs - - CVE-2022-29869 + - CVE-2022-29869 exfat - CVE-2022-29973 + CVE-2022-29973 ext - CVE-2022-1184 + CVE-2022-1184 fat - CVE-2022-22043 + CVE-2022-22043 fscache - CVE-2022-3630 + CVE-2022-3630 fuse - CVE-2023-0386 + CVE-2023-0386 gfs2 - CVE-2023-3212 + CVE-2023-3212 nfs_common - CVE-2023-6660 + CVE-2023-6660 nfsd - CVE-2022-43945 + CVE-2022-43945 smbfs_common - CVE-2022-2585 + CVE-2022-2585 @@ -4108,46 +4108,46 @@ If requirements and local site policy allow the use of such devices, other solut - IF - - the module is available in the running kernel: + the module is available in the running kernel: Unload the filesystem kernel module from the kernel -Create a file ending in .conf - with install filesystem kernel modules /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install filesystem kernel modules /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with deny list filesystem kernel modules in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with deny list filesystem kernel modules in the /etc/modprobe.d/ + directory WARNING -: unloading, disabling or denylisting filesystem modules that are in use on the system maybe FATAL. It is extremely important to thoroughly review the filesystems returned by the audit before following the remediation procedure. + : unloading, disabling or denylisting filesystem modules that are in use on the system maybe FATAL. It is extremely important to thoroughly review the filesystems returned by the audit before following the remediation procedure. -Example of unloading the gfs2 -kernel module: + Example of unloading the gfs2 + kernel module: -# modprobe -r gfs2 2>/dev/null
-# rmmod gfs2 2>/dev/null - + # modprobe -r gfs2 2>/dev/null
+ # rmmod gfs2 2>/dev/null + -Example of fully disabling the gfs2 - kernel module: + Example of fully disabling the gfs2 + kernel module: # printf '%s\n' "blacklist gfs2" "install gfs2 /bin/false" >> /etc/modprobe.d/gfs2.conf - + Note: Disabling a kernel module by modifying the command above for each unused filesystem kernel module -The example gfs2 - must be updated with the appropriate module name for the command or example script bellow to run correctly. + The example gfs2 + must be updated with the appropriate module name for the command or example script bellow to run correctly. Below is an example Script that can be modified to use on various filesystem kernel modules manual remediation process: @@ -4156,47 +4156,47 @@ The example gfs2Example Script -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="gfs2" # set module name
- l_mod_type="fs" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="gfs2" # set module name
+ l_mod_type="fs" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + Impact: This list may be quite extensive and covering all edges cases is difficult. Therefore, it's crucial to carefully consider the implications and dependencies before making any changes to the filesystem kernel module configurations. @@ -4216,29 +4216,29 @@ The example gfs2 -IF- - you are repartitioning a system that has already been installed (This may require the system to be in single-user mode): + you are repartitioning a system that has already been installed (This may require the system to be in single-user mode): -Mount the new partition to a temporary mountpoint e.g. mount /dev/sda2 /mnt + Mount the new partition to a temporary mountpoint e.g. mount /dev/sda2 /mnt -Copy data from the original partition to the new partition. e.g. cp -a /var/tmp/* /mnt + Copy data from the original partition to the new partition. e.g. cp -a /var/tmp/* /mnt -Verify that all data is present on the new partition. e.g. ls -la /mnt + Verify that all data is present on the new partition. e.g. ls -la /mnt -Unmount the new partition. e.g. umount /mnt + Unmount the new partition. e.g. umount /mnt -Remove the data from the original directory that was in the old partition. e.g. rm -Rf /var/tmp/* - Otherwise it will still consume space in the old partition that will be masked when the new filesystem is mounted. + Remove the data from the original directory that was in the old partition. e.g. rm -Rf /var/tmp/* + Otherwise it will still consume space in the old partition that will be masked when the new filesystem is mounted. -Mount the new partition to the desired mountpoint. e.g. mount /dev/sda2 /var/tmp + Mount the new partition to the desired mountpoint. e.g. mount /dev/sda2 /var/tmp -Update /etc/fstab - with the new mountpoint. e.g. /dev/sda2 /var/tmp xfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 + Update /etc/fstab + with the new mountpoint. e.g. /dev/sda2 /var/tmp xfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 @@ -4246,62 +4246,62 @@ Update /etc/fstab Configure /tmp -The /tmp - directory is a world-writable directory used to store data used by the system and user applications for a short period of time. This data should have no expectation of surviving a reboot, as this directory is intended to be emptied after each reboot. + The /tmp + directory is a world-writable directory used to store data used by the system and user applications for a short period of time. This data should have no expectation of surviving a reboot, as this directory is intended to be emptied after each reboot. Ensure /tmp is a separate partition -The /tmp - directory is a world-writable directory used for temporary storage by all users and some applications. + The /tmp + directory is a world-writable directory used for temporary storage by all users and some applications. - IF - - an entry for /tmp - exists in /etc/fstab - it will take precedence over entries in systemd default unit file. + an entry for /tmp + exists in /etc/fstab + it will take precedence over entries in systemd default unit file. Note: - In an environment where the main system is diskless and connected to iSCSI, entries in /etc/fstab - may not take precedence. + In an environment where the main system is diskless and connected to iSCSI, entries in /etc/fstab + may not take precedence. /tmp - can be configured to use tmpfs -. + can be configured to use tmpfs + . tmpfs - puts everything into the kernel internal caches and grows and shrinks to accommodate the files it contains and is able to swap unneeded pages out to swap space. It has maximum size limits which can be adjusted on the fly via mount -o remount -. + puts everything into the kernel internal caches and grows and shrinks to accommodate the files it contains and is able to swap unneeded pages out to swap space. It has maximum size limits which can be adjusted on the fly via mount -o remount + . -Since tmpfs - lives completely in the page cache and on swap, all tmpfs - pages will be shown as "Shmem" in /proc/meminfo - and "Shared" in free -. Notice that these counters also include shared memory. The most reliable way to get the count is using df - and du -. + Since tmpfs + lives completely in the page cache and on swap, all tmpfs + pages will be shown as "Shmem" in /proc/meminfo + and "Shared" in free + . Notice that these counters also include shared memory. The most reliable way to get the count is using df + and du + . tmpfs - has three mount options for sizing: + has three mount options for sizing: size -: The limit of allocated bytes for this tmpfs - instance. The default is half of your physical RAM without swap. If you oversize your tmpfs - instances the machine will deadlock since the OOM handler will not be able to free that memory. + : The limit of allocated bytes for this tmpfs + instance. The default is half of your physical RAM without swap. If you oversize your tmpfs + instances the machine will deadlock since the OOM handler will not be able to free that memory. nr_blocks -: The same as size, but in blocks of PAGE_SIZE. + : The same as size, but in blocks of PAGE_SIZE. nr_inodes -: The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. + : The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. -These parameters accept a suffix k, m or g and can be changed on remount. The size parameter also accepts a suffix % to limit this tmpfs - instance to that percentage of your physical RAM. The default, when neither size - nor nr_blocks - is specified, is size=50% -. + These parameters accept a suffix k, m or g and can be changed on remount. The size parameter also accepts a suffix % to limit this tmpfs + instance to that percentage of your physical RAM. The default, when neither size + nor nr_blocks + is specified, is size=50% + . @@ -4323,16 +4323,16 @@ These parameters accept a suffix k, m or g and can be changed on remount. The si -Making /tmp - its own file system allows an administrator to set additional mount options such as the noexec - option on the mount, making /tmp - useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid - program and wait for it to be updated. Once the program was updated, the hard link would be broken, and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + Making /tmp + its own file system allows an administrator to set additional mount options such as the noexec + option on the mount, making /tmp + useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid + program and wait for it to be updated. Once the program was updated, the hard link would be broken, and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. -This can be accomplished by either mounting tmpfs - to /tmp -, or creating a separate partition for /tmp -. + This can be accomplished by either mounting tmpfs + to /tmp + , or creating a separate partition for /tmp + . @@ -4344,51 +4344,51 @@ This can be accomplished by either mounting /tmp - will be mounted at boot time. + First ensure that systemd is correctly configured to ensure that /tmp + will be mounted at boot time. # systemctl unmask tmp.mount - + -For specific configuration requirements of the /tmp - mount for your environment, modify /etc/fstab -. + For specific configuration requirements of the /tmp + mount for your environment, modify /etc/fstab + . -Example of using tmpfs - with specific mount options: + Example of using tmpfs + with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 - + Note: - the size=2G - is an example of setting a specific size for tmpfs -. + the size=2G + is an example of setting a specific size for tmpfs + . Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment: <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0 - + Impact: -By design files saved to /tmp - should have no expectation of surviving a reboot of the system. tmpfs - is ram based and all files stored to tmpfs - will be lost when the system is rebooted. + By design files saved to /tmp + should have no expectation of surviving a reboot of the system. tmpfs + is ram based and all files stored to tmpfs + will be lost when the system is rebooted. -If files need to be persistent through a reboot, they should be saved to /var/tmp - not /tmp -. + If files need to be persistent through a reboot, they should be saved to /var/tmp + not /tmp + . -Since the /tmp - directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to tmpfs - or a separate partition. + Since the /tmp + directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to tmpfs + or a separate partition. -Running out of /tmp - space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp - is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / - partition. On the other hand, a RAM-based /tmp - (as with tmpfs -) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp - from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs - which is RAM-based. + Running out of /tmp + space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp + is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / + partition. On the other hand, a RAM-based /tmp + (as with tmpfs + ) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp + from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs + which is RAM-based. @@ -4405,8 +4405,8 @@ Running out of /tmpEnsure nodev option set on /tmp partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -4428,9 +4428,9 @@ The nodev -Since the /tmp - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp -. + Since the /tmp + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp + . @@ -4441,23 +4441,23 @@ Since the /tmp - IF - - a separate partition exists for /tmp -. + a separate partition exists for /tmp + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /tmp - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /tmp + partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /tmp - with the configured options: + Run the following command to remount /tmp + with the configured options: # mount -o remount /tmp - + @@ -4473,9 +4473,9 @@ Run the following command to remount Ensure nosuid option set on /tmp partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -4497,10 +4497,10 @@ The nosuid -Since the /tmp - filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid - files in /tmp -. + Since the /tmp + filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid + files in /tmp + . @@ -4511,23 +4511,23 @@ Since the /tmp - IF - - a separate partition exists for /tmp -. + a separate partition exists for /tmp + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /tmp - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /tmp + partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /tmp - with the configured options: + Run the following command to remount /tmp + with the configured options: # mount -o remount /tmp - + @@ -4543,8 +4543,8 @@ Run the following command to remount Ensure noexec option set on /tmp partition -The noexec - mount option specifies that the filesystem cannot contain executable binaries. + The noexec + mount option specifies that the filesystem cannot contain executable binaries. @@ -4566,9 +4566,9 @@ The noexec -Since the /tmp - filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp -. + Since the /tmp + filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp + . @@ -4579,29 +4579,29 @@ Since the /tmp - IF - - a separate partition exists for /tmp -. + a separate partition exists for /tmp + . -Edit the /etc/fstab - file and add noexec - to the fourth field (mounting options) for the /tmp - partition. + Edit the /etc/fstab + file and add noexec + to the fourth field (mounting options) for the /tmp + partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /tmp - with the configured options: + Run the following command to remount /tmp + with the configured options: # mount -o remount /tmp - + Impact: -Setting the noexec - option on /tmp - may prevent installation and/or updating of some 3rd party software. + Setting the noexec + option on /tmp + may prevent installation and/or updating of some 3rd party software. @@ -4619,15 +4619,15 @@ Setting the noexecConfigure /dev/shm -The /dev/shm - directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC) + The /dev/shm + directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC) Ensure /dev/shm is a separate partition -The /dev/shm - directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC). + The /dev/shm + directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC). @@ -4649,15 +4649,15 @@ The /dev/shm -Making /dev/shm - its own file system allows an administrator to set additional mount options such as the noexec - option on the mount, making /dev/shm - useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid - program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + Making /dev/shm + its own file system allows an administrator to set additional mount options such as the noexec + option on the mount, making /dev/shm + useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid + program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. -This can be accomplished by mounting tmpfs - to /dev/shm -. + This can be accomplished by mounting tmpfs + to /dev/shm + . @@ -4668,25 +4668,25 @@ This can be accomplished by mounting /dev/shm - mount for your environment, modify /etc/fstab -. + For specific configuration requirements of the /dev/shm + mount for your environment, modify /etc/fstab + . Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 - + Impact: -Since the /dev/shm - directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. + Since the /dev/shm + directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm - utilizing tmpfs - can be resized using the size={size} - parameter in the relevant entry in /etc/fstab -. + utilizing tmpfs + can be resized using the size={size} + parameter in the relevant entry in /etc/fstab + . @@ -4703,8 +4703,8 @@ Since the /dev/shmEnsure nodev option set on /dev/shm partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -4725,19 +4725,19 @@ The nodev -Some distributions mount /dev/shm - through other means and require /dev/shm - to be added to /etc/fstab - even though it is already being mounted on boot. Others may configure /dev/shm - in other locations and may override /etc/fstab - configuration. Consult the documentation appropriate for your distribution. + Some distributions mount /dev/shm + through other means and require /dev/shm + to be added to /etc/fstab + even though it is already being mounted on boot. Others may configure /dev/shm + in other locations and may override /etc/fstab + configuration. Consult the documentation appropriate for your distribution. -Since the /dev/shm - filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm - partitions. + Since the /dev/shm + filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm + partitions. @@ -4747,29 +4747,29 @@ Since the /dev/shm - IF - - a separate partition exists for /dev/shm -. + a separate partition exists for /dev/shm + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /dev/shm - partition. See the fstab(5) - manual page for more information. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /dev/shm + partition. See the fstab(5) + manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /dev/shm - with the configured options: + Run the following command to remount /dev/shm + with the configured options: # mount -o remount /dev/shm - + Note: - It is recommended to use tmpfs - as the device/filesystem type as /dev/shm - is used as shared memory space by applications. + It is recommended to use tmpfs + as the device/filesystem type as /dev/shm + is used as shared memory space by applications. @@ -4785,9 +4785,9 @@ Run the following command to remount Ensure nosuid option set on /dev/shm partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -4808,12 +4808,12 @@ The nosuid -Some distributions mount /dev/shm - through other means and require /dev/shm - to be added to /etc/fstab - even though it is already being mounted on boot. Others may configure /dev/shm - in other locations and may override /etc/fstab - configuration. Consult the documentation appropriate for your distribution. + Some distributions mount /dev/shm + through other means and require /dev/shm + to be added to /etc/fstab + even though it is already being mounted on boot. Others may configure /dev/shm + in other locations and may override /etc/fstab + configuration. Consult the documentation appropriate for your distribution. @@ -4827,29 +4827,29 @@ Some distributions mount /dev - IF - - a separate partition exists for /dev/shm -. + a separate partition exists for /dev/shm + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /dev/shm - partition. See the fstab(5) - manual page for more information. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /dev/shm + partition. See the fstab(5) + manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /dev/shm - with the configured options: + Run the following command to remount /dev/shm + with the configured options: # mount -o remount /dev/shm - + Note: - It is recommended to use tmpfs - as the device/filesystem type as /dev/shm - is used as shared memory space by applications. + It is recommended to use tmpfs + as the device/filesystem type as /dev/shm + is used as shared memory space by applications. @@ -4865,8 +4865,8 @@ Run the following command to remount Ensure noexec option set on /dev/shm partition -The noexec - mount option specifies that the filesystem cannot contain executable binaries. + The noexec + mount option specifies that the filesystem cannot contain executable binaries. @@ -4898,28 +4898,28 @@ The noexec - IF - - a separate partition exists for /dev/shm -. + a separate partition exists for /dev/shm + . -Edit the /etc/fstab - file and add noexec - to the fourth field (mounting options) for the /dev/shm - partition. + Edit the /etc/fstab + file and add noexec + to the fourth field (mounting options) for the /dev/shm + partition. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /dev/shm - with the configured options: + Run the following command to remount /dev/shm + with the configured options: # mount -o remount /dev/shm - + Note: - It is recommended to use tmpfs - as the device/filesystem type as /dev/shm - is used as shared memory space by applications. + It is recommended to use tmpfs + as the device/filesystem type as /dev/shm + is used as shared memory space by applications. @@ -4936,22 +4936,22 @@ Run the following command to remount Configure /home -Please note that home directories can be mounted anywhere and are not necessarily restricted to /home -, nor restricted to a single location, nor is the name restricted in any way. + Please note that home directories can be mounted anywhere and are not necessarily restricted to /home + , nor restricted to a single location, nor is the name restricted in any way. -Finding user home directories can be done by looking in /etc/passwd -, looking over the mounted file systems with mount - or querying the relevant database with getent -. + Finding user home directories can be done by looking in /etc/passwd + , looking over the mounted file systems with mount + or querying the relevant database with getent + . for user in $(awk -F ':' '{print $1}' /etc/passwd); do echo "${user} - $(sudo getent passwd ${user} | awk -F ':' '{print $NF}')"; done - + Ensure separate partition exists for /home -The /home - directory is used to support disk storage needs of local users. + The /home + directory is used to support disk storage needs of local users. @@ -4972,26 +4972,26 @@ The /home -When modifying /home - it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. + When modifying /home + it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. -The default installation only creates a single / - partition. Since the /home - directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home - and impact all local users. + The default installation only creates a single / + partition. Since the /home + directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home + and impact all local users. -Configuring /home - as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev -. These options limit an attacker's ability to create exploits on the system. In the case of /home - options such as usrquota/grpquota - may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount - for exact details regarding filesystem-independent and filesystem-specific options. + Configuring /home + as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev + . These options limit an attacker's ability to create exploits on the system. In the case of /home + options such as usrquota/grpquota + may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount + for exact details regarding filesystem-independent and filesystem-specific options. -As /home - contains user data, care should be taken to ensure the security and integrity of the data and mount point. + As /home + contains user data, care should be taken to ensure the security and integrity of the data and mount point. @@ -5001,11 +5001,11 @@ As /home -For new installations, during installation create a custom partition setup and specify a separate partition for /home -. + For new installations, during installation create a custom partition setup and specify a separate partition for /home + . -For systems that were previously installed, create a new partition and configure /etc/fstab - as appropriate. + For systems that were previously installed, create a new partition and configure /etc/fstab + as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. @@ -5025,8 +5025,8 @@ For systems that were previously installed, create a new partition and configure Ensure nodev option set on /home partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -5048,9 +5048,9 @@ The nodev -Since the /home - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home -. + Since the /home + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home + . @@ -5061,23 +5061,23 @@ Since the /home - IF - - a separate partition exists for /home -. + a separate partition exists for /home + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /home - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /home + partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /home - with the configured options: + Run the following command to remount /home + with the configured options: # mount -o remount /home - + @@ -5093,9 +5093,9 @@ Run the following command to remount Ensure nosuid option set on /home partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -5117,10 +5117,10 @@ The nosuid -Since the /home - filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid - files in /home -. + Since the /home + filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid + files in /home + . @@ -5131,23 +5131,23 @@ Since the /home - IF - - a separate partition exists for /home -. + a separate partition exists for /home + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /home - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /home + partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /home - with the configured options: + Run the following command to remount /home + with the configured options: # mount -o remount /home - + @@ -5164,15 +5164,15 @@ Run the following command to remount Configure /var -The /var - directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + The /var + directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Ensure separate partition exists for /var -The /var - directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. + The /var + directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. @@ -5193,29 +5193,29 @@ The /var -When modifying /var - it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. + When modifying /var + it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. -The reasoning for mounting /var - on a separate partition is as follows. + The reasoning for mounting /var + on a separate partition is as follows. -The default installation only creates a single / - partition. Since the /var - directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system. In addition, other operations on the system could fill up the disk unrelated to /var - and cause unintended behavior across the system as the disk is full. See man auditd.conf - for details. + The default installation only creates a single / + partition. Since the /var + directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system. In addition, other operations on the system could fill up the disk unrelated to /var + and cause unintended behavior across the system as the disk is full. See man auditd.conf + for details. -Configuring /var - as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev -. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount - for exact details regarding filesystem-independent and filesystem-specific options. + Configuring /var + as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev + . These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount + for exact details regarding filesystem-independent and filesystem-specific options. -An example of exploiting /var - may be an attacker establishing a hard-link to a system setuid - program and waiting for it to be updated. Once the program is updated, the hard-link can be broken and the attacker would have their own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. + An example of exploiting /var + may be an attacker establishing a hard-link to a system setuid + program and waiting for it to be updated. Once the program is updated, the hard-link can be broken and the attacker would have their own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. @@ -5225,11 +5225,11 @@ An example of exploiting /var -For new installations, during installation create a custom partition setup and specify a separate partition for /var -. + For new installations, during installation create a custom partition setup and specify a separate partition for /var + . -For systems that were previously installed, create a new partition and configure /etc/fstab - as appropriate. + For systems that were previously installed, create a new partition and configure /etc/fstab + as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. @@ -5249,8 +5249,8 @@ For systems that were previously installed, create a new partition and configure Ensure nodev option set on /var partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -5272,9 +5272,9 @@ The nodev -Since the /var - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var -. + Since the /var + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var + . @@ -5285,23 +5285,23 @@ Since the /var - IF - - a separate partition exists for /var -. + a separate partition exists for /var + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /var - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /var + partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var - with the configured options: + Run the following command to remount /var + with the configured options: # mount -o remount /var - + @@ -5317,9 +5317,9 @@ Run the following command to remount Ensure nosuid option set on /var partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -5341,10 +5341,10 @@ The nosuid -Since the /var - filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid - files in /var -. + Since the /var + filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid + files in /var + . @@ -5355,23 +5355,23 @@ Since the /var - IF - - a separate partition exists for /var -. + a separate partition exists for /var + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /var - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /var + partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var - with the configured options: + Run the following command to remount /var + with the configured options: # mount -o remount /var - + @@ -5388,17 +5388,17 @@ Run the following command to remount Configure /var/tmp -The /var/tmp - directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp - are to be preserved between reboots. + The /var/tmp + directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp + are to be preserved between reboots. Ensure separate partition exists for /var/tmp -The /var/tmp - directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp - are to be preserved between reboots. + The /var/tmp + directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp + are to be preserved between reboots. @@ -5419,20 +5419,20 @@ The /var/tmp -When modifying /var/tmp - it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. + When modifying /var/tmp + it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. -The default installation only creates a single / - partition. Since the /var/tmp - directory is world-writable, there is a risk of resource exhaustion. In addition, other operations on the system could fill up the disk unrelated to /var/tmp - and cause potential disruption to daemons as the disk is full. + The default installation only creates a single / + partition. Since the /var/tmp + directory is world-writable, there is a risk of resource exhaustion. In addition, other operations on the system could fill up the disk unrelated to /var/tmp + and cause potential disruption to daemons as the disk is full. -Configuring /var/tmp - as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev -. These options limit an attacker's ability to create exploits on the system. + Configuring /var/tmp + as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev + . These options limit an attacker's ability to create exploits on the system. @@ -5442,11 +5442,11 @@ Configuring /var/tmp -For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp -. + For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp + . -For systems that were previously installed, create a new partition and configure /etc/fstab - as appropriate. + For systems that were previously installed, create a new partition and configure /etc/fstab + as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. @@ -5466,8 +5466,8 @@ For systems that were previously installed, create a new partition and configure Ensure nodev option set on /var/tmp partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -5489,9 +5489,9 @@ The nodev -Since the /var/tmp - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp -. + Since the /var/tmp + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp + . @@ -5502,23 +5502,23 @@ Since the /var/tmp - IF - - a separate partition exists for /var/tmp -. + a separate partition exists for /var/tmp + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /var/tmp - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /var/tmp + partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/tmp - with the configured options: + Run the following command to remount /var/tmp + with the configured options: # mount -o remount /var/tmp - + @@ -5534,9 +5534,9 @@ Run the following command to remount Ensure nosuid option set on /var/tmp partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -5558,10 +5558,10 @@ The nosuid -Since the /var/tmp - filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid - files in /var/tmp -. + Since the /var/tmp + filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid + files in /var/tmp + . @@ -5572,23 +5572,23 @@ Since the /var/tmp - IF - - a separate partition exists for /var/tmp -. + a separate partition exists for /var/tmp + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /var/tmp - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /var/tmp + partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/tmp - with the configured options: + Run the following command to remount /var/tmp + with the configured options: # mount -o remount /var/tmp - + @@ -5604,8 +5604,8 @@ Run the following command to remount Ensure noexec option set on /var/tmp partition -The noexec - mount option specifies that the filesystem cannot contain executable binaries. + The noexec + mount option specifies that the filesystem cannot contain executable binaries. @@ -5627,9 +5627,9 @@ The noexec -Since the /var/tmp - filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp -. + Since the /var/tmp + filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp + . @@ -5640,23 +5640,23 @@ Since the /var/tmp - IF - - a separate partition exists for /var/tmp -. + a separate partition exists for /var/tmp + . -Edit the /etc/fstab - file and add noexec - to the fourth field (mounting options) for the /var/tmp - partition. + Edit the /etc/fstab + file and add noexec + to the fourth field (mounting options) for the /var/tmp + partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/tmp - with the configured options: + Run the following command to remount /var/tmp + with the configured options: # mount -o remount /var/tmp - + @@ -5673,15 +5673,15 @@ Run the following command to remount Configure /var/log -The /var/log - directory is used by system services to store log data. + The /var/log + directory is used by system services to store log data. Ensure separate partition exists for /var/log -The /var/log - directory is used by system services to store log data. + The /var/log + directory is used by system services to store log data. @@ -5702,23 +5702,23 @@ The /var/log -When modifying /var/log - it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. + When modifying /var/log + it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode. -The default installation only creates a single / - partition. Since the /var/log - directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. + The default installation only creates a single / + partition. Since the /var/log + directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. -Configuring /var/log - as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev -. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount - for exact details regarding filesystem-independent and filesystem-specific options. + Configuring /var/log + as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev + . These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount + for exact details regarding filesystem-independent and filesystem-specific options. -As /var/log - contains log files, care should be taken to ensure the security and integrity of the data and mount point. + As /var/log + contains log files, care should be taken to ensure the security and integrity of the data and mount point. @@ -5728,11 +5728,11 @@ As /var/log -For new installations, during installation create a custom partition setup and specify a separate partition for /var/log - . + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log + . -For systems that were previously installed, create a new partition and configure /etc/fstab - as appropriate. + For systems that were previously installed, create a new partition and configure /etc/fstab + as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. @@ -5752,8 +5752,8 @@ For systems that were previously installed, create a new partition and configure Ensure nodev option set on /var/log partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -5775,9 +5775,9 @@ The nodev -Since the /var/log - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log -. + Since the /var/log + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log + . @@ -5788,23 +5788,23 @@ Since the /var/log - IF - - a separate partition exists for /var/log -. + a separate partition exists for /var/log + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /var/log - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /var/log + partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log - with the configured options: + Run the following command to remount /var/log + with the configured options: # mount -o remount /var/log - + @@ -5820,9 +5820,9 @@ Run the following command to remount Ensure nosuid option set on /var/log partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -5844,10 +5844,10 @@ The nosuid -Since the /var/log - filesystem is only intended for log files, set this option to ensure that users cannot create setuid - files in /var/log -. + Since the /var/log + filesystem is only intended for log files, set this option to ensure that users cannot create setuid + files in /var/log + . @@ -5858,23 +5858,23 @@ Since the /var/log - IF - - a separate partition exists for /var/log -. + a separate partition exists for /var/log + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /var/log - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /var/log + partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log - with the configured options: + Run the following command to remount /var/log + with the configured options: # mount -o remount /var/log - + @@ -5890,8 +5890,8 @@ Run the following command to remount Ensure noexec option set on /var/log partition -The noexec - mount option specifies that the filesystem cannot contain executable binaries. + The noexec + mount option specifies that the filesystem cannot contain executable binaries. @@ -5913,9 +5913,9 @@ The noexec -Since the /var/log - filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log -. + Since the /var/log + filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log + . @@ -5926,23 +5926,23 @@ Since the /var/log - IF - - a separate partition exists for /var/log -. + a separate partition exists for /var/log + . -Edit the /etc/fstab - file and add noexec - to the fourth field (mounting options) for the /var/log - partition. + Edit the /etc/fstab + file and add noexec + to the fourth field (mounting options) for the /var/log + partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log - with the configured options: + Run the following command to remount /var/log + with the configured options: # mount -o remount /var/log - + @@ -5959,17 +5959,17 @@ Run the following command to remount Configure /var/log/audit -The auditing daemon, auditd -, stores log data in the /var/log/audit - directory. + The auditing daemon, auditd + , stores log data in the /var/log/audit + directory. Ensure separate partition exists for /var/log/audit -The auditing daemon, auditd -, stores log data in the /var/log/audit - directory. + The auditing daemon, auditd + , stores log data in the /var/log/audit + directory. @@ -5990,28 +5990,28 @@ The auditing daemon, auditd -When modifying /var/log/audit - it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. + When modifying /var/log/audit + it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multi-user mode. -The default installation only creates a single / - partition. Since the /var/log/audit - directory contains the audit.log - file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit - and cause auditd - to trigger its space_left_action - as the disk is full. See man auditd.conf - for details. - -Configuring /var/log/audit - as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev -. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount - for exact details regarding filesystem-independent and filesystem-specific options. - -As /var/log/audit - contains audit logs, care should be taken to ensure the security and integrity of the data and mount point. + The default installation only creates a single / + partition. Since the /var/log/audit + directory contains the audit.log + file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit + and cause auditd + to trigger its space_left_action + as the disk is full. See man auditd.conf + for details. + + Configuring /var/log/audit + as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev + . These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount + for exact details regarding filesystem-independent and filesystem-specific options. + + As /var/log/audit + contains audit logs, care should be taken to ensure the security and integrity of the data and mount point. @@ -6021,11 +6021,11 @@ As /var/log/audit -For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit -. + For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit + . -For systems that were previously installed, create a new partition and configure /etc/fstab - as appropriate. + For systems that were previously installed, create a new partition and configure /etc/fstab + as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations. @@ -6045,8 +6045,8 @@ For systems that were previously installed, create a new partition and configure Ensure nodev option set on /var/log/audit partition -The nodev - mount option specifies that the filesystem cannot contain special devices. + The nodev + mount option specifies that the filesystem cannot contain special devices. @@ -6068,9 +6068,9 @@ The nodev -Since the /var/log/audit - filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit -. + Since the /var/log/audit + filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit + . @@ -6081,23 +6081,23 @@ Since the /var/log/audit - IF - - a separate partition exists for /var/log/audit -. + a separate partition exists for /var/log/audit + . -Edit the /etc/fstab - file and add nodev - to the fourth field (mounting options) for the /var/log/audit - partition. + Edit the /etc/fstab + file and add nodev + to the fourth field (mounting options) for the /var/log/audit + partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log/audit - with the configured options: + Run the following command to remount /var/log/audit + with the configured options: # mount -o remount /var/log/audit - + @@ -6113,9 +6113,9 @@ Run the following command to remount Ensure nosuid option set on /var/log/audit partition -The nosuid - mount option specifies that the filesystem cannot contain setuid - files. + The nosuid + mount option specifies that the filesystem cannot contain setuid + files. @@ -6137,10 +6137,10 @@ The nosuid -Since the /var/log/audit - filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid - files in /var/log/audit -. + Since the /var/log/audit + filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid + files in /var/log/audit + . @@ -6151,23 +6151,23 @@ Since the /var/log/audit - IF - - a separate partition exists for /var/log/audit -. + a separate partition exists for /var/log/audit + . -Edit the /etc/fstab - file and add nosuid - to the fourth field (mounting options) for the /var/log/audit - partition. + Edit the /etc/fstab + file and add nosuid + to the fourth field (mounting options) for the /var/log/audit + partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log/audit - with the configured options: + Run the following command to remount /var/log/audit + with the configured options: # mount -o remount /var/log/audit - + @@ -6183,8 +6183,8 @@ Run the following command to remount Ensure noexec option set on /var/log/audit partition -The noexec - mount option specifies that the filesystem cannot contain executable binaries. + The noexec + mount option specifies that the filesystem cannot contain executable binaries. @@ -6206,9 +6206,9 @@ The noexec -Since the /var/log/audit - filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit -. + Since the /var/log/audit + filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit + . @@ -6219,23 +6219,23 @@ Since the /var/log/audit - IF - - a separate partition exists for /var/log/audit -. + a separate partition exists for /var/log/audit + . -Edit the /etc/fstab - file and add noexec - to the fourth field (mounting options) for the /var/log/audit - partition. + Edit the /etc/fstab + file and add noexec + to the fourth field (mounting options) for the /var/log/audit + partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 - + -Run the following command to remount /var/log/audit - with the configured options: + Run the following command to remount /var/log/audit + with the configured options: # mount -o remount /var/log/audit - + @@ -6265,7 +6265,7 @@ Run the following command to remount Ensure GPG keys are configured @@ -6301,7 +6301,7 @@ Run the following command to remount -Fedora public keys: https://getfedora.org/security/ + Fedora public keys: https://getfedora.org/security/ @@ -6325,10 +6325,10 @@ Fedora public keys: Ensure gpgcheck is globally activated -The gpgcheck - option, found in the main section of the /etc/dnf/dnf.conf - and individual /etc/yum.repos.d/* - files, determines if an RPM package's signature is checked prior to its installation. + The gpgcheck + option, found in the main section of the /etc/dnf/dnf.conf + and individual /etc/yum.repos.d/* + files, determines if an RPM package's signature is checked prior to its installation. @@ -6358,24 +6358,24 @@ The gpgcheck -Edit /etc/dnf/dnf.conf - and set gpgcheck=1 -: + Edit /etc/dnf/dnf.conf + and set gpgcheck=1 + : Example # sed -i 's/^gpgcheck\s*=\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf - + -Edit any failing files in /etc/yum.repos.d/* - and set all instances starting with gpgcheck - to 1 -. + Edit any failing files in /etc/yum.repos.d/* + and set all instances starting with gpgcheck + to 1 + . Example: # find /etc/yum.repos.d/ -name "*.repo" -exec echo "Checking:" {} \; -exec sed -i 's/^gpgcheck\s*=\s*.*/gpgcheck=1/' {} \; - + @@ -6397,10 +6397,10 @@ Edit any failing files in /et Ensure repo_gpgcheck is globally activated -The repo_gpgcheck - option, found in the main section of the /etc/dnf/dnf.conf - and individual /etc/yum.repos.d/* - files, will perform a GPG signature check on the repodata. + The repo_gpgcheck + option, found in the main section of the /etc/dnf/dnf.conf + and individual /etc/yum.repos.d/* + files, will perform a GPG signature check on the repodata. @@ -6433,35 +6433,35 @@ The repo_gpgcheck Global configuration -Edit /etc/dnf/dnf.conf - and set repo_gpgcheck=1 - in the [main] - section. + Edit /etc/dnf/dnf.conf + and set repo_gpgcheck=1 + in the [main] + section. Example: -[main]
-repo_gpgcheck=1 - + [main]
+ repo_gpgcheck=1 + Per repository configuration First check that the particular repository support GPG checking on the repodata. -Edit any failing files in /etc/yum.repos.d/* - and set all instances starting with repo_gpgcheck - to 1 -. + Edit any failing files in /etc/yum.repos.d/* + and set all instances starting with repo_gpgcheck + to 1 + . Impact: -Not all repositories, notably RedHat, support repo_gpgcheck -. Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck - installation of packages will fail. + Not all repositories, notably RedHat, support repo_gpgcheck + . Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck + installation of packages will fail. -Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck -. + Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck + . @@ -6501,7 +6501,7 @@ Research is required by the user to determine which repositories is configured o -For further information about Fedora repositories see: https://docs.fedoraproject.org/en-US/quick-docs/repositories/ + For further information about Fedora repositories see: https://docs.fedoraproject.org/en-US/quick-docs/repositories/ @@ -6560,7 +6560,7 @@ For further information about Fedora repositories see: Site policy may mandate a testing period before install onto production systems for available updates. # dnf check-update - + @@ -6577,10 +6577,10 @@ For further information about Fedora repositories see: Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update - + Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r - + @@ -6593,7 +6593,7 @@ For further information about Fedora repositories see: Mandatory Access Control (MAC) provides an additional layer of access restrictions to processes on top of the base Discretionary Access Controls. By restricting how processes can access files and resources on a system the potential impact from vulnerabilities in the processes can be reduced. Impact: - Mandatory Access Control limits the capabilities of applications and daemons on a system, while this can prevent unauthorized access the configuration of MAC can be complex and difficult to implement correctly preventing legitimate access from occurring. + Mandatory Access Control limits the capabilities of applications and daemons on a system, while this can prevent unauthorized access the configuration of MAC can be complex and difficult to implement correctly preventing legitimate access from occurring. Configure SELinux @@ -6606,14 +6606,14 @@ For further information about Fedora repositories see: targeted - - Targeted processes run in their own domain, called a confined domain. In a confined domain, the files that a targeted process has access to are limited. If a confined process is compromised by an attacker, the attacker’s access to resources and the possible damage they can do is also limited. SELinux denies access to these resources and logs the denial. + - Targeted processes run in their own domain, called a confined domain. In a confined domain, the files that a targeted process has access to are limited. If a confined process is compromised by an attacker, the attacker’s access to resources and the possible damage they can do is also limited. SELinux denies access to these resources and logs the denial. mls - - Implements Multi-Level Security (MLS), which introduces even more kinds of labels (sensitivity and category) and rules that govern access based on these. + - Implements Multi-Level Security (MLS), which introduces even more kinds of labels (sensitivity and category) and rules that govern access based on these. -This section provides guidance for the configuration of the targeted - policy. + This section provides guidance for the configuration of the targeted + policy. Note: @@ -6627,27 +6627,27 @@ This section provides guidance for the configuration of the -NSA SELinux resources: - + NSA SELinux resources: + https://www.nsa.gov/Research/Technical-Papers-Brochures/smdsearch14229/selinux -Fedora SELinux resources: - + Fedora SELinux resources: + -Getting started with SELinux: https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux + Getting started with SELinux: https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux -User Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index + User Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index -SELinux Project web page and wiki: - + SELinux Project web page and wiki: + http://www.selinuxproject.org @@ -6688,10 +6688,10 @@ SELinux Project web page and wiki: -Run the following command to install SELinux -: + Run the following command to install SELinux + : # dnf install libselinux - + @@ -6727,13 +6727,13 @@ Run the following command to install grubby - is a command line tool for updating and displaying information about the configuration files for the grub2 and zipl boot loaders. It is primarily designed to be used from scripts which install new kernels and need to find information about the current boot environment. + is a command line tool for updating and displaying information about the configuration files for the grub2 and zipl boot loaders. It is primarily designed to be used from scripts which install new kernels and need to find information about the current boot environment. -All bootloaders define the boot entries as individual configuration fragments that are stored by default in /boot/loader/entries -. The format for the config files is specified at https://systemd.io/BOOT_LOADER_SPECIFICATION -. The grubby tool is used to update and display the configuration defined in the BootLoaderSpec - fragment files. + All bootloaders define the boot entries as individual configuration fragments that are stored by default in /boot/loader/entries + . The format for the config files is specified at https://systemd.io/BOOT_LOADER_SPECIFICATION + . The grubby tool is used to update and display the configuration defined in the BootLoaderSpec + fragment files. There are a number of ways to specify the kernel used for --info, --remove-kernel, and --update-kernel. Specifying DEFAULT or ALL selects the de‐fault entry and all of the entries, respectively. Also, the title of a boot entry may be specified by using TITLE=title as the argument; all entries with that title are used. @@ -6748,18 +6748,18 @@ All bootloaders define the boot entries as individual configuration fragments -Run the following command to remove the selinux=0 - and enforcing=0 - parameters: + Run the following command to remove the selinux=0 + and enforcing=0 + parameters: grubby --update-kernel ALL --remove-args "selinux=0 enforcing=0" - + -Run the following command to remove the selinux=0 - and enforcing=0 - parameters if they were created by the deprecated grub2-mkconfig - command: + Run the following command to remove the selinux=0 + and enforcing=0 + parameters if they were created by the deprecated grub2-mkconfig + command: # grep -Prsq -- '\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b' /boot/grub2 /boot/efi && grub2-mkconfig -o "$(grep -Prl -- '\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b' /boot/grub2 /boot/efi)" - + Impact: Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot. @@ -6804,8 +6804,8 @@ Run the following command to remove the -If your organization requires stricter policies, ensure that they are set in the /etc/selinux/config - file. + If your organization requires stricter policies, ensure that they are set in the /etc/selinux/config + file. @@ -6818,10 +6818,10 @@ If your organization requires stricter policies, ensure that they are set in the -Edit the /etc/selinux/config - file to set the SELINUXTYPE parameter: + Edit the /etc/selinux/config + file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted - + @@ -6843,19 +6843,19 @@ Edit the /etc/selinux/config< Enforcing - - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. + - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. + - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled - - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future + - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: - You can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: + You can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t - + @@ -6887,30 +6887,30 @@ Edit the /etc/selinux/config< Run one of the following commands to set SELinux's running mode: -To set SELinux mode to Enforcing -: + To set SELinux mode to Enforcing + : # setenforce 1 - + - OR - -To set SELinux mode to Permissive -: + To set SELinux mode to Permissive + : # setenforce 0 - + -Edit the /etc/selinux/config - file to set the SELINUX parameter: + Edit the /etc/selinux/config + file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing - + - OR - For Permissive mode: SELINUX=permissive - + @@ -6939,19 +6939,19 @@ Edit the /etc/selinux/config< Enforcing - - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. + - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. + - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled - - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future + - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: - You can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: + You can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t - + @@ -6987,13 +6987,13 @@ Edit the /etc/selinux/config< Run the following command to set SELinux's running mode: # setenforce 1 - + -Edit the /etc/selinux/config - file to set the SELINUX parameter: + Edit the /etc/selinux/config + file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing - + Impact: Running SELinux in Enforcing mode may block intended access to files or processes if the SELinux policy is not correctly configured. If this occurs, review the system logs for details and update labels or policy as appropriate. @@ -7060,7 +7060,7 @@ Edit the /etc/selinux/config< Investigate any unconfined processes found during the audit action. If necessary create a customize SELinux policy to allow necessary actions for the service. Warning: - Knowledge about creating and configuring SELinux policies is needed. A Basic example on how to create a policy is included below. + Knowledge about creating and configuring SELinux policies is needed. A Basic example on how to create a policy is included below. Identify the unconfined service: determine the name and process of the service @@ -7076,44 +7076,44 @@ Edit the /etc/selinux/config< Example SELinux policy configuration: service_allowlist_policy.te -# Example SELinux policy configuration for allowing access to specific actions and resources for a service
+ # Example SELinux policy configuration for allowing access to specific actions and resources for a service

-module my_service 1.0;
+ module my_service 1.0;

-require {
- type my_service_t;
- type system_resource_t;
- class file { read write execute };
- class dir { read write add_name };
- class tcp_socket name_connect;
-}
+ require {
+ type my_service_t;
+ type system_resource_t;
+ class file { read write execute };
+ class dir { read write add_name };
+ class tcp_socket name_connect;
+ }

-allow my_service_t system_resource_t:file { read write execute }; # Allow my_service_t to read, write, and execute files with the system_resource_t context
+ allow my_service_t system_resource_t:file { read write execute }; # Allow my_service_t to read, write, and execute files with the system_resource_t context

-allow my_service_t system_resource_t:dir { read write add_name }; # Allow my_service_t to read and write to directories with the system_resource_t context
+ allow my_service_t system_resource_t:dir { read write add_name }; # Allow my_service_t to read and write to directories with the system_resource_t context

-allow my_service_t system_resource_t:tcp_socket name_connect; # Allow my_service_t to establish TCP connections - + allow my_service_t system_resource_t:tcp_socket name_connect; # Allow my_service_t to establish TCP connections + Compile the policy # checkmodule -M -, -o service_allowlist_policy.mod service_allowlist_policy.te - + Create the package # semodule_package -o service_allowlist_policy.pp -m service_allowlist_policy.mod - + Load the policy # semodule -i service_allowlist_policy.pp - + Apply the policy to the service # chcon -t se service_allowlist_policy /path/to/service_binary - + Impact: Confining a service that inherently requires unconfined access to function may disrupt its intended operations. This restriction may lead to downtime, degraded performance, or loss in functionality. It is crucial to analyze and adjust SELinux policies in accordance with site security policies and operational requirements. @@ -7132,8 +7132,8 @@ allow my_service_t system_resource_t:tcp_socket name_connect; # Allow my_service Ensure the MCS Translation Service (mcstrans) is not installed -The mcstransd - daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf + The mcstransd + daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf @@ -7164,10 +7164,10 @@ The mcstransd -Run the following command to uninstall mcstrans -: + Run the following command to uninstall mcstrans + : # dnf remove mcstrans - + @@ -7210,10 +7210,10 @@ Run the following command to uninstall setroubleshoot -: + Run the following command to uninstall setroubleshoot + : # dnf remove setroubleshoot - + @@ -7234,23 +7234,23 @@ Run the following command to uninstall kernelopts - environment variable. This variable was stored in the /boot/grub2/grubenv - file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts - was not robust. Therefore, the kernelopts - has been removed and the kernel command-line parameters are now stored in the Boot Loader Specification (BLS) snippet, instead of in the /boot/loader/entries/<KERNEL_BOOT_ENTRY>.conf - file. + In Fedora 28 based distributions, the kernel command-line parameters for systems using the GRUB2 bootloader were defined in the kernelopts + environment variable. This variable was stored in the /boot/grub2/grubenv + file for each kernel boot entry. However, storing the kernel command-line parameters using kernelopts + was not robust. Therefore, the kernelopts + has been removed and the kernel command-line parameters are now stored in the Boot Loader Specification (BLS) snippet, instead of in the /boot/loader/entries/<KERNEL_BOOT_ENTRY>.conf + file. -Boot loader configuration files are unified across CPU architectures - + Boot loader configuration files are unified across CPU architectures + -Configuration files for the GRUB boot loader are now stored in the /boot/grub2/ - directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg - file, which GRUB previously used as the main configuration file on UEFI systems, now simply loads the /boot/grub2/grub.cfg - file. + Configuration files for the GRUB boot loader are now stored in the /boot/grub2/ + directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg + file, which GRUB previously used as the main configuration file on UEFI systems, now simply loads the /boot/grub2/grub.cfg + file. -This change simplifies the layout of the GRUB configuration file, improves user experience, and provides the following notable benefits: - + This change simplifies the layout of the GRUB configuration file, improves user experience, and provides the following notable benefits: + You can boot the same installation with either EFI or legacy BIOS. You can use the same documentation and commands for all architectures. GRUB configuration tools are more robust, because they no longer rely on symbolic links and they do not have to handle platform-specific cases. @@ -7262,8 +7262,8 @@ This change simplifies the layout of the GRUB configuration file, improves user -Support for the 32-bit UEFI firmware was removed from the GRUB and shim boot loaders. As a consequence, Fedora 28 based distributions require a 64-bit UEFI, and can no longer boot on 64-bit systems that use a 32-bit UEFI. - + Support for the 32-bit UEFI firmware was removed from the GRUB and shim boot loaders. As a consequence, Fedora 28 based distributions require a 64-bit UEFI, and can no longer boot on 64-bit systems that use a 32-bit UEFI. + The following packages have been removed as part of this change: grub2-efi-ia32 @@ -7311,8 +7311,8 @@ Support for the 32-bit UEFI firmware was removed from the GRUB and shim boot loa This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. grub2-setpassword - outputs the user.cfg - file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user. + outputs the user.cfg + file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user. @@ -7325,19 +7325,19 @@ Support for the 32-bit UEFI firmware was removed from the GRUB and shim boot loa -Create an encrypted password with grub2-setpassword -: + Create an encrypted password with grub2-setpassword + : -# grub2-setpassword
+ # grub2-setpassword

-Enter password: <password>
-Confirm password: <password> - + Enter password: <password>
+ Confirm password: <password> + Impact: -If password protection is enabled, only the designated superuser can edit a GRUB 2 menu item by pressing e - or access the GRUB 2 command line by pressing c + If password protection is enabled, only the designated superuser can edit a GRUB 2 menu item by pressing e + or access the GRUB 2 command line by pressing c If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem @@ -7392,40 +7392,40 @@ If password protection is enabled, only the designated superuser can edit a GRUB Run the following to update the mode, ownership, and group ownership of the grub configuration files: - IF - - the system uses UEFI (Files located in /boot/efi/EFI/* -) + the system uses UEFI (Files located in /boot/efi/EFI/* + ) -Edit /etc/fstab - and add the fmask=0077 -, uid=0 -, and gid=0 - options: + Edit /etc/fstab + and add the fmask=0077 + , uid=0 + , and gid=0 + options: Example: <device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0 - + Note: - This may require a re-boot to enable the change + This may require a re-boot to enable the change - OR - - IF - - the system uses BIOS (Files located in /boot/grub2/* -) + the system uses BIOS (Files located in /boot/grub2/* + ) Run the following commands to set ownership and permissions on your grub configuration file(s): -# [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg
-# [ -f /boot/grub2/grub.cfg ] && chmod u-x,go-rwx /boot/grub2/grub.cfg
+ # [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg
+ # [ -f /boot/grub2/grub.cfg ] && chmod u-x,go-rwx /boot/grub2/grub.cfg

-# [ -f /boot/grub2/grubenv ] && chown root:root /boot/grub2/grubenv
-# [ -f /boot/grub2/grubenv ] && chmod u-x,go-rwx /boot/grub2/grubenv
+ # [ -f /boot/grub2/grubenv ] && chown root:root /boot/grub2/grubenv
+ # [ -f /boot/grub2/grubenv ] && chmod u-x,go-rwx /boot/grub2/grubenv

-# [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg
-# [ -f /boot/grub2/user.cfg ] && chmod u-x,go-rwx /boot/grub2/user.cfg - + # [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg
+ # [ -f /boot/grub2/user.cfg ] && chmod u-x,go-rwx /boot/grub2/user.cfg + @@ -7475,10 +7475,10 @@ Edit /etc/fstab -Set the following parameter in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : kernel.randomize_va_space = 2 @@ -7488,16 +7488,16 @@ Set the following parameter in Example: -# printf "
-kernel.randomize_va_space = 2
-" >> /etc/sysctl.d/60-kernel_sysctl.conf - + # printf "
+ kernel.randomize_va_space = 2
+ " >> /etc/sysctl.d/60-kernel_sysctl.conf + Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2 - + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -7513,8 +7513,8 @@ kernel.randomize_va_space = 2
Ensure ptrace_scope is restricted -The ptrace() - system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. + The ptrace() + system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. @@ -7535,9 +7535,9 @@ The ptrace() -Ptrace is very rarely used by regular applications and is mostly used by debuggers such as gdb - and strace -. + Ptrace is very rarely used by regular applications and is mostly used by debuggers such as gdb + and strace + . @@ -7552,10 +7552,10 @@ Ptrace is very rarely used by regular applications and is mostly used by debugge -Set the following parameter in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : kernel.yama.ptrace_scope = 1 @@ -7565,16 +7565,16 @@ Set the following parameter in Example: -# printf "
-kernel.yama.ptrace_scope = 1
-" >> /etc/sysctl.d/60-kernel_sysctl.conf - + # printf "
+ kernel.yama.ptrace_scope = 1
+ " >> /etc/sysctl.d/60-kernel_sysctl.conf + Run the following command to set the active kernel parameter: # sysctl -w kernel.yama.ptrace_scope=1 - + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -7600,30 +7600,30 @@ kernel.yama.ptrace_scope = 1
-Create or edit the file /etc/systemd/coredump.conf -, or a file in the /etc/systemd/coredump.conf.d - directory ending in .conf -. + Create or edit the file /etc/systemd/coredump.conf + , or a file in the /etc/systemd/coredump.conf.d + directory ending in .conf + . -Edit or add the following line in the [Coredump] - section: + Edit or add the following line in the [Coredump] + section: ProcessSizeMax=0 - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir /etc/systemd/coredump.conf.d/
- if grep -Psq -- '^\h*\[Coredump\]' /etc/systemd/coredump.conf.d/60-coredump.conf; then
- printf '%s\n' "ProcessSizeMax=0" >> /etc/systemd/coredump.conf.d/60-coredump.conf
- else
- printf '%s\n' "[Coredump]" "ProcessSizeMax=0" >> /etc/systemd/coredump.conf.d/60-coredump.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir /etc/systemd/coredump.conf.d/
+ if grep -Psq -- '^\h*\[Coredump\]' /etc/systemd/coredump.conf.d/60-coredump.conf; then
+ printf '%s\n' "ProcessSizeMax=0" >> /etc/systemd/coredump.conf.d/60-coredump.conf
+ else
+ printf '%s\n' "[Coredump]" "ProcessSizeMax=0" >> /etc/systemd/coredump.conf.d/60-coredump.conf
+ fi
+ } + @@ -7648,30 +7648,30 @@ Edit or add the following line in the /etc/systemd/coredump.conf -, or a file in the /etc/systemd/coredump.conf.d - directory ending in .conf -. + Create or edit the file /etc/systemd/coredump.conf + , or a file in the /etc/systemd/coredump.conf.d + directory ending in .conf + . -Edit or add the following line in the [Coredump] - section: + Edit or add the following line in the [Coredump] + section: Storage=none - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir /etc/systemd/coredump.conf.d/
- if grep -Psq -- '^\h*\[Coredump\]' /etc/systemd/coredump.conf.d/60-coredump.conf; then
- printf '%s\n' "Storage=none" >> /etc/systemd/coredump.conf.d/60-coredump.conf
- else
- printf '%s\n' "[Coredump]" "Storage=none" >> /etc/systemd/coredump.conf.d/60-coredump.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir /etc/systemd/coredump.conf.d/
+ if grep -Psq -- '^\h*\[Coredump\]' /etc/systemd/coredump.conf.d/60-coredump.conf; then
+ printf '%s\n' "Storage=none" >> /etc/systemd/coredump.conf.d/60-coredump.conf
+ else
+ printf '%s\n' "[Coredump]" "Storage=none" >> /etc/systemd/coredump.conf.d/60-coredump.conf
+ fi
+ } + @@ -7689,55 +7689,55 @@ Edit or add the following line in the The crypto policy definition files have a simple syntax following an INI file key = value syntax -Full policy definition files have suffix .pol -, subpolicy files have suffix .pmod -. Subpolicies do not have to have values set for all the keys. + Full policy definition files have suffix .pol + , subpolicy files have suffix .pmod + . Subpolicies do not have to have values set for all the keys. The effective configuration of a policy with subpolicies applied is the same as a configuration from a single policy obtained by concatenating the policy and the subpolicies in question. -The policy files shipped in packages are placed in /usr/share/crypto-policies/policies - and the subpolicies in /usr/share/crypto-policies/policies/modules -. + The policy files shipped in packages are placed in /usr/share/crypto-policies/policies + and the subpolicies in /usr/share/crypto-policies/policies/modules + . -Locally configured policy files should be placed in /etc/crypto-policies/policies - and subpolicies in /etc/crypto-policies/policies/modules -. + Locally configured policy files should be placed in /etc/crypto-policies/policies + and subpolicies in /etc/crypto-policies/policies/modules + . -The policy and subpolicy files must have names in upper-case except for the .pol - and .pmod - suffix as the update-crypto-policies command always converts the policy name to upper-case before searching for the policy on the filesystem. + The policy and subpolicy files must have names in upper-case except for the .pol + and .pmod + suffix as the update-crypto-policies command always converts the policy name to upper-case before searching for the policy on the filesystem. The following predefined policies are included: DEFAULT - - The default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long. + - The default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long. LEGACY - - This policy ensures maximum compatibility with Red Hat Enterprise Linux 5 and earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT level algorithms and protocols, it includes support for the TLS 1.0 and 1.1 protocols. The algorithms DSA, 3DES, and RC4 are allowed, while RSA keys and Diffie-Hellman parameters are accepted if they are at least 1023 bits long. + - This policy ensures maximum compatibility with Red Hat Enterprise Linux 5 and earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT level algorithms and protocols, it includes support for the TLS 1.0 and 1.1 protocols. The algorithms DSA, 3DES, and RC4 are allowed, while RSA keys and Diffie-Hellman parameters are accepted if they are at least 1023 bits long. FUTURE - - A stricter forward-looking security level intended for testing a possible future policy. This policy does not allow the use of SHA-1 in signature algorithms. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 3072 bits long. If your system communicates on the public internet, you might face interoperability problems. + - A stricter forward-looking security level intended for testing a possible future policy. This policy does not allow the use of SHA-1 in signature algorithms. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 3072 bits long. If your system communicates on the public internet, you might face interoperability problems. FIPS - - A policy level that conforms with the FIPS 140 requirements. The fips-mode-setup tool, which switches the RHEL system into FIPS mode, uses this policy internally. Switching to the FIPS policy does not guarantee compliance with the FIPS 140 standard. You also must re-generate all cryptographic keys after you set the system to FIPS mode. This is not possible in many scenarios. + - A policy level that conforms with the FIPS 140 requirements. The fips-mode-setup tool, which switches the RHEL system into FIPS mode, uses this policy internally. Switching to the FIPS policy does not guarantee compliance with the FIPS 140 standard. You also must re-generate all cryptographic keys after you set the system to FIPS mode. This is not possible in many scenarios. Ensure system wide crypto policy is not set to legacy When a system-wide policy is set up, the default behavior of applications will be to follow the policy. Applications will be unable to use algorithms and -protocols that do not meet the policy, unless you explicitly request the application to do so. + protocols that do not meet the policy, unless you explicitly request the application to do so. The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. -The LEGACY - policy ensures maximum compatibility with version 5 of the operating system and earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT - level algorithms and protocols, it includes support for the TLS 1.0 - and 1.1 - protocols. The algorithms DSA -, 3DES -, and RC4 - are allowed, while RSA keys - and Diffie-Hellman - parameters are accepted if they are at least 1023 bits long. + The LEGACY + policy ensures maximum compatibility with version 5 of the operating system and earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT + level algorithms and protocols, it includes support for the TLS 1.0 + and 1.1 + protocols. The algorithms DSA + , 3DES + , and RC4 + are allowed, while RSA keys + and Diffie-Hellman + parameters are accepted if they are at least 1023 bits long. @@ -7759,47 +7759,47 @@ The LEGACY - IF - - FIPS is required by local site policy: + FIPS is required by local site policy: -The system-wide cryptographic policies contain a policy level that enables cryptographic algorithms in accordance with the requirements by the Federal Information Processing Standard (FIPS) Publication 140. The fips-mode-setup tool that enables or disables FIPS mode internally uses the FIPS systemwide cryptographic policy. -Switching the system to FIPS mode by using the FIPS system-wide cryptographic policy does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible. For example, in the case of an existing IdM realm with users' cryptographic keys you cannot re-generate all the keys. The fips-mode-setup tool uses the FIPS policy internally. But on top of what the update-crypto-policies - command with the --set FIPS - option does, fips-mode-setup - ensures the installation of the FIPS dracut - module by using the fips-finish-install - tool, it also adds the fips=1 - boot option to the kernel command line and regenerates the initial ramdisk. + The system-wide cryptographic policies contain a policy level that enables cryptographic algorithms in accordance with the requirements by the Federal Information Processing Standard (FIPS) Publication 140. The fips-mode-setup tool that enables or disables FIPS mode internally uses the FIPS systemwide cryptographic policy. + Switching the system to FIPS mode by using the FIPS system-wide cryptographic policy does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible. For example, in the case of an existing IdM realm with users' cryptographic keys you cannot re-generate all the keys. The fips-mode-setup tool uses the FIPS policy internally. But on top of what the update-crypto-policies + command with the --set FIPS + option does, fips-mode-setup + ensures the installation of the FIPS dracut + module by using the fips-finish-install + tool, it also adds the fips=1 + boot option to the kernel command line and regenerates the initial ramdisk. IMPORTANT: - Only enabling FIPS mode during installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. + Only enabling FIPS mode during installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Run the following command to switch the system to FIPS mode: # fips-mode-setup --enable - + Output: -Kernel initramdisks are being regenerated. This might take some time.
-Setting system policy to FIPS
-Note: System-wide crypto policies are applied on application start-up.
-It is recommended to restart the system for the change of policies
-to fully take place.
-FIPS mode will be enabled.
-Please reboot the system for the setting to take effect. - + Kernel initramdisks are being regenerated. This might take some time.
+ Setting system policy to FIPS
+ Note: System-wide crypto policies are applied on application start-up.
+ It is recommended to restart the system for the change of policies
+ to fully take place.
+ FIPS mode will be enabled.
+ Please reboot the system for the setting to take effect. + Run the following command to restart the system: # reboot - + After the reboot has completed, run the following command to verify FIPS mode: # fips-mode-setup --check - + Output: FIPS mode is enabled. - + -If the LEGACY - system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. + If the LEGACY + system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457 @@ -7813,21 +7813,21 @@ If the LEGACY Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> - + Example: # update-crypto-policies --set DEFAULT - + Run the following to make the updated system-wide crypto policy active # update-crypto-policies - + Impact: -Environments that require compatibility with older insecure protocols may require the use -of the less secure LEGACY - policy level. + Environments that require compatibility with older insecure protocols may require the use + of the less secure LEGACY + policy level. @@ -7865,8 +7865,8 @@ of the less secure LEGACYOver-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm Note: - If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy - assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page + If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy + assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page @@ -7876,10 +7876,10 @@ of the less secure LEGACY Run the following commands: -# sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
+ # sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd

-# systemctl reload sshd - + # systemctl reload sshd + @@ -7919,7 +7919,7 @@ of the less secure LEGACYThe SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks. The most significant danger for a hash algorithm is when a "collision" which happens when two different pieces of data produce the same hash value occurs. This hashing algorithm has been considered weak since 2005. Note: - The use of SHA-1 with hashbased message authentication codes (HMAC) do not rely on the collision resistance of the corresponding hash function, and therefore the recent attacks on SHA-1 have a significantly lower impact on the use of SHA-1 for HMAC. Because of this, the recommendation does not disable the hmac-sha1 MAC. + The use of SHA-1 with hashbased message authentication codes (HMAC) do not rely on the collision resistance of the corresponding hash function, and therefore the recent attacks on SHA-1 have a significantly lower impact on the use of SHA-1 for HMAC. Because of this, the recommendation does not disable the hmac-sha1 MAC. @@ -7937,56 +7937,56 @@ of the less secure LEGACY -The commands below are written for the included DEFAULT - system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT - with the name of your system-wide crypto policy. + The commands below are written for the included DEFAULT + system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT + with the name of your system-wide crypto policy. -Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC + Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC -Subpolicies: - + Subpolicies: + -Not included in the update-crypto-policies --set - command will not - be applied to the system wide crypto policy. + Not included in the update-crypto-policies --set + command will not + be applied to the system wide crypto policy. must exist - before they can be applied to the system wide crypto policy. + before they can be applied to the system wide crypto policy. .pmod - file filenames must be in all upper case, upper case, e.g. NO-SHA1.pmod -, or they will not - be read by the update-crypto-policies --set - command. + file filenames must be in all upper case, upper case, e.g. NO-SHA1.pmod + , or they will not + be read by the update-crypto-policies --set + command. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify the following lines: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify the following lines: -hash = -SHA1
-sign = -*-SHA1
-sha1_in_certs = 0 - + hash = -SHA1
+ sign = -*-SHA1
+ sha1_in_certs = 0 + Example: # printf '%s\n' "# This is a subpolicy dropping the SHA1 hash and signature support" "hash = -SHA1" "sign = -*-SHA1" "sha1_in_certs = 0" >> /etc/crypto-policies/policies/modules/NO-SHA1.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: update-crypto-policies --set DEFAULT:NO-SHA1 - + Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications: # reboot - + @@ -8059,54 +8059,54 @@ sha1_in_certs = 0 -The commands below are written for the included DEFAULT - system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT - with the name of your system-wide crypto policy. + The commands below are written for the included DEFAULT + system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT + with the name of your system-wide crypto policy. -Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC + Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC -Subpolicies: - + Subpolicies: + -Not included in the update-crypto-policies --set - command will not - be applied to the system wide crypto policy. + Not included in the update-crypto-policies --set + command will not + be applied to the system wide crypto policy. must exist - before they can be applied to the system wide crypto policy. + before they can be applied to the system wide crypto policy. .pmod - file filenames must be in all upper case, upper case, e.g. NO-WEAKMAC.pmod -, or they will not - be read by the update-crypto-policies --set - command. + file filenames must be in all upper case, upper case, e.g. NO-WEAKMAC.pmod + , or they will not + be read by the update-crypto-policies --set + command. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify one - of the following lines: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify one + of the following lines: mac = -*-64* # Disables weak macs - + Example: # printf '%s\n' "# This is a subpolicy to disable weak macs" "mac = -*-64" >> /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC - + Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications: # reboot - + @@ -8171,58 +8171,58 @@ Create or edit a file in /etc/c -The commands below are written for the included DEFAULT - system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT - with the name of your system-wide crypto policy. + The commands below are written for the included DEFAULT + system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT + with the name of your system-wide crypto policy. CBC - can be turned off globally by using the argument cipher - opposed to cipher@SSH + can be turned off globally by using the argument cipher + opposed to cipher@SSH -Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC + Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC -Subpolicies: - + Subpolicies: + -Not included in the update-crypto-policies --set - command will not - be applied to the system wide crypto policy. + Not included in the update-crypto-policies --set + command will not + be applied to the system wide crypto policy. must exist - before they can be applied to the system wide crypto policy. + before they can be applied to the system wide crypto policy. .pmod - file filenames must be in all upper case, upper case, e.g. NO-SSHCBC.pmod -, or they will not - be read by the update-crypto-policies --set - command. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify one - of the the following lines: + file filenames must be in all upper case, upper case, e.g. NO-SSHCBC.pmod + , or they will not + be read by the update-crypto-policies --set + command. + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify one + of the the following lines: cipher@SSH = -*-CBC # Disables the CBC cipher for SSH - + Example: # printf '%s\n' "# This is a subpolicy to disable all CBC mode ciphers" "# for the SSH protocol (libssh and OpenSSH)" "cipher@SSH = -*-CBC" >> /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC - + Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications: # reboot - + Impact: CBC ciphers might be the only common cyphers when connecting to older SSH clients and servers @@ -8269,7 +8269,7 @@ Create or edit a file in -A vulnerability exists in ChaCha20-Poly1305 as referenced in CVE-2023-48795 + A vulnerability exists in ChaCha20-Poly1305 as referenced in CVE-2023-48795 @@ -8288,63 +8288,63 @@ A vulnerability exists in ChaCha20-Poly1305 as referenced in -The commands below are written for the included DEFAULT - system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT - with the name of your system-wide crypto policy. + The commands below are written for the included DEFAULT + system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT + with the name of your system-wide crypto policy. chacha20-poly1305 - can be turned off globally by using the argument cipher - opposed to cipher@SSH + can be turned off globally by using the argument cipher + opposed to cipher@SSH -Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC + Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC -Subpolicies: - + Subpolicies: + -Not included in the update-crypto-policies --set - command will not - be applied to the system wide crypto policy. + Not included in the update-crypto-policies --set + command will not + be applied to the system wide crypto policy. must exist - before they can be applied to the system wide crypto policy. + before they can be applied to the system wide crypto policy. .pmod - file filenames must be in all upper case, upper case, e.g. NO-SSHCHACHA20.pmod -, or they will not - be read by the update-crypto-policies --set - command. + file filenames must be in all upper case, upper case, e.g. NO-SSHCHACHA20.pmod + , or they will not + be read by the update-crypto-policies --set + command. - IF - CVE-2023-48795 - has been addressed, and it meets local site policy, this recommendation may be skipped. + has been addressed, and it meets local site policy, this recommendation may be skipped. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify one - of the the following lines: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify one + of the the following lines: cipher@SSH = -CHACHA20-POLY1305 # Disables the chacha20-poly1305 cipher for SSH - + Example: # printf '%s\n' "# This is a subpolicy to disable the chacha20-poly1305 ciphers" "# for the SSH protocol (libssh and OpenSSH)" "cipher@SSH = -CHACHA20-POLY1305" >> /etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: # update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20 - + Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications: # reboot - + @@ -8387,7 +8387,7 @@ Create or edit a file in /etc/c -There is an effective attack against SSH's use of Cypher-Block-Chaining (CBC) with Encrypt-then-MAC as referenced in CVE-2023-48795 + There is an effective attack against SSH's use of Cypher-Block-Chaining (CBC) with Encrypt-then-MAC as referenced in CVE-2023-48795 @@ -8407,62 +8407,62 @@ There is an effective attack against SSH's use of Cypher-Block-Chaining (CBC) wi -The commands below are written for the included DEFAULT - system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT - with the name of your system-wide crypto policy. + The commands below are written for the included DEFAULT + system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT + with the name of your system-wide crypto policy. EtM - can be turned off globally by using the argument etm - opposed to etm@SSH + can be turned off globally by using the argument etm + opposed to etm@SSH -Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC + Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC -Subpolicies: - + Subpolicies: + -Not included in the update-crypto-policies --set - command will not - be applied to the system wide crypto policy. + Not included in the update-crypto-policies --set + command will not + be applied to the system wide crypto policy. must exist - before they can be applied to the system wide crypto policy. + before they can be applied to the system wide crypto policy. .pmod - file filenames must be in all upper case, upper case, e.g. NO-SSHCHACHA20.pmod -, or they will not - be read by the update-crypto-policies --set - command. + file filenames must be in all upper case, upper case, e.g. NO-SSHCHACHA20.pmod + , or they will not + be read by the update-crypto-policies --set + command. - IF - CVE-2023-48795 - has been addressed, and it meets local site policy, this recommendation may be skipped. + has been addressed, and it meets local site policy, this recommendation may be skipped. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify the following line: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify the following line: etm@SSH = DISABLE_ETM # This disables EtM for openSSH and libssh - + Example: # printf '%s\n' "# This is a subpolicy to disable Encrypt then MAC" "# for the SSH protocol (libssh and OpenSSH)" "etm@SSH = DISABLE_ETM" >> /etc/crypto-policies/policies/modules/NO-SSHETM.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: # update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20:NO-SSHETM - + Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications: # reboot - + @@ -8491,89 +8491,89 @@ Create or edit a file in /etc/c Presenting a warning message prior to the normal user login may assist in the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific exploits at a system. -Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies consent to such monitoring. It is important that the organization's legal counsel review the content of all messages before any system modifications are made, as these warning messages are inherently site-specific. More information (including citations of relevant case law) can be found at http://www.justice.gov/criminal/cybercrime/ + Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies consent to such monitoring. It is important that the organization's legal counsel review the content of all messages before any system modifications are made, as these warning messages are inherently site-specific. More information (including citations of relevant case law) can be found at http://www.justice.gov/criminal/cybercrime/ -The /etc/motd -, /etc/issue -, and /etc/issue.net - files govern warning banners for standard command line logins for both local and remote users. + The /etc/motd + , /etc/issue + , and /etc/issue.net + files govern warning banners for standard command line logins for both local and remote users. Note: - The text provided in the remediation actions for these items is intended as an example only. Please edit to include the specific text for your organization as approved by your legal department. + The text provided in the remediation actions for these items is intended as an example only. Please edit to include the specific text for your organization as approved by your legal department. Ensure message of the day is configured properly -The contents of the /etc/motd - file are displayed to users after login and function as a message of the day for authenticated users. + The contents of the /etc/motd + file are displayed to users after login and function as a message of the day for authenticated users. -Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) - supports the following options, they display operating system information: \m - - machine architecture \r - - operating system release \s - - operating system name \v - - operating system version + Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) + supports the following options, they display operating system information: \m + - machine architecture \r + - operating system release \s + - operating system name \v + - operating system version -Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a - " command once they have logged in. + Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a + " command once they have logged in. NIST SP 800-53 Rev. 5: CM-6, CM-1, CM-3 -Edit the file found in /etc/motd.d/* - with the appropriate contents according to your site policy, remove any instances of \m - , \r - , \s - , \v - or references to the OS platform + Edit the file found in /etc/motd.d/* + with the appropriate contents according to your site policy, remove any instances of \m + , \r + , \s + , \v + or references to the OS platform - OR - - IF - - the motd - is not used, this file can be removed. + the motd + is not used, this file can be removed. -Run the following command to remove the motd - file: + Run the following command to remove the motd + file: # rm /etc/motd - + Run the following script and review and/or update all returned files' contents to: -Remove all system information ( \v -, \r -; \m -, \s -) + Remove all system information ( \v + , \r + ; \m + , \s + ) Remove any refence to the operating system Ensure contents follow local site policy -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- a_files=()
- for l_file in /etc/motd{,.d/*}; do
- if grep -Psqi -- "(\\\v|\\\r|\\\m|\\\s|\b$(grep ^ID= /etc/os-release | cut -d= -f2 | sed -e 's/"//g')\b)" "$l_file"; then
- echo -e "\n - File: \"$l_file\" includes system information. Edit this file to remove these entries"
- else
- a_files+=("$l_file")
- fi
- done
- if [ "${#a_files[@]}" -gt 0 ]; then
- echo -e "\n- ** Please review the following files and verify their contents follow local site policy **\n"
- printf '%s\n' "${a_files[@]}"
- fi
-} - + {
+ a_files=()
+ for l_file in /etc/motd{,.d/*}; do
+ if grep -Psqi -- "(\\\v|\\\r|\\\m|\\\s|\b$(grep ^ID= /etc/os-release | cut -d= -f2 | sed -e 's/"//g')\b)" "$l_file"; then
+ echo -e "\n - File: \"$l_file\" includes system information. Edit this file to remove these entries"
+ else
+ a_files+=("$l_file")
+ fi
+ done
+ if [ "${#a_files[@]}" -gt 0 ]; then
+ echo -e "\n- ** Please review the following files and verify their contents follow local site policy **\n"
+ printf '%s\n' "${a_files[@]}"
+ fi
+ } + @@ -8588,38 +8588,38 @@ Remove all system information ( Ensure local login warning banner is configured properly -The contents of the /etc/issue - file are displayed to users prior to login for local terminals. + The contents of the /etc/issue + file are displayed to users prior to login for local terminals. -Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) - supports the following options, they display operating system information: \m - - machine architecture \r - - operating system release \s - - operating system name \v - - operating system version - or the operating system's name + Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) + supports the following options, they display operating system information: \m + - machine architecture \r + - operating system release \s + - operating system name \v + - operating system version - or the operating system's name -Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a - " command once they have logged in. + Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a + " command once they have logged in. NIST SP 800-53 Rev. 5: CM-6, CM-1, CM-3 -Edit the /etc/issue - file with the appropriate contents according to your site policy, remove any instances of \m - , \r - , \s - , \v - or references to the OS platform + Edit the /etc/issue + file with the appropriate contents according to your site policy, remove any instances of \m + , \r + , \s + , \v + or references to the OS platform Example: # echo "Authorized users only. All activity may be monitored and reported." > /etc/issue - + @@ -8637,38 +8637,38 @@ Edit the /etc/issueEnsure remote login warning banner is configured properly -The contents of the /etc/issue.net - file are displayed to users prior to login for remote connections from configured services. + The contents of the /etc/issue.net + file are displayed to users prior to login for remote connections from configured services. -Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) - supports the following options, they display operating system information: \m - - machine architecture \r - - operating system release \s - - operating system name \v - - operating system version + Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) + supports the following options, they display operating system information: \m + - machine architecture \r + - operating system release \s + - operating system name \v + - operating system version -Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a - " command once they have logged in. + Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a + " command once they have logged in. NIST SP 800-53 Rev. 5: CM-6, CM-1, CM-3 -Edit the /etc/issue.net - file with the appropriate contents according to your site policy, remove any instances of \m - , \r - , \s - , \v - or references to the OS platform + Edit the /etc/issue.net + file with the appropriate contents according to your site policy, remove any instances of \m + , \r + , \s + , \v + or references to the OS platform Example: # echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net - + @@ -8686,8 +8686,8 @@ Edit the /etc/issue.netEnsure access to /etc/motd is configured -The contents of the /etc/motd - file are displayed to users after login and function as a message of the day for authenticated users. + The contents of the /etc/motd + file are displayed to users after login and function as a message of the day for authenticated users. @@ -8710,8 +8710,8 @@ The contents of the /etc/motd - IF - - the /etc/motd - file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. + the /etc/motd + file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. @@ -8720,20 +8720,20 @@ The contents of the /etc/motd -Run the following commands to set mode, owner, and group on /etc/motd -: + Run the following commands to set mode, owner, and group on /etc/motd + : -# chown root:root $(readlink -e /etc/motd)
-# chmod u-x,go-wx $(readlink -e /etc/motd) - + # chown root:root $(readlink -e /etc/motd)
+ # chmod u-x,go-wx $(readlink -e /etc/motd) + - OR - -Run the following command to remove the /etc/motd - file: + Run the following command to remove the /etc/motd + file: # rm /etc/motd - + @@ -8761,8 +8761,8 @@ Run the following command to remove the Ensure access to /etc/issue is configured -The contents of the /etc/issue - file are displayed to users prior to login for local terminals. + The contents of the /etc/issue + file are displayed to users prior to login for local terminals. @@ -8785,8 +8785,8 @@ The contents of the /etc/issue - IF - - the /etc/issue - file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. + the /etc/issue + file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. @@ -8795,12 +8795,12 @@ The contents of the /etc/issue -Run the following commands to set mode, owner, and group on /etc/issue -: + Run the following commands to set mode, owner, and group on /etc/issue + : -# chown root:root $(readlink -e /etc/issue)
-# chmod u-x,go-wx $(readlink -e /etc/issue) - + # chown root:root $(readlink -e /etc/issue)
+ # chmod u-x,go-wx $(readlink -e /etc/issue) + @@ -8828,8 +8828,8 @@ Run the following commands to set mode, owner, and group on Ensure access to /etc/issue.net is configured -The contents of the /etc/issue.net - file are displayed to users prior to login for remote connections from configured services. + The contents of the /etc/issue.net + file are displayed to users prior to login for remote connections from configured services. @@ -8852,8 +8852,8 @@ The contents of the /etc/issue.net< - IF - - the /etc/issue.net - file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. + the /etc/issue.net + file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information. @@ -8862,12 +8862,12 @@ The contents of the /etc/issue.net< -Run the following commands to set mode, owner, and group on /etc/issue.net -: + Run the following commands to set mode, owner, and group on /etc/issue.net + : -# chown root:root $(readlink -e /etc/issue.net)
-# chmod u-x,go-wx $(readlink -e /etc/issue.net) - + # chown root:root $(readlink -e /etc/issue.net)
+ # chmod u-x,go-wx $(readlink -e /etc/issue.net) + @@ -8898,7 +8898,7 @@ Run the following commands to set mode, owner, and group on The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins. Note: - If GDM is not installed on the system, this section can be skipped + If GDM is not installed on the system, this section can be skipped Ensure GNOME Display Manager is removed @@ -8933,10 +8933,10 @@ Run the following commands to set mode, owner, and group on -Run the following command to remove the gdm - package + Run the following command to remove the gdm + package # dnf remove gdm - + Impact: Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system. @@ -8958,8 +8958,8 @@ Run the following command to remove the -Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message - file. + Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message + file. If a different GUI login service is in use, consult your documentation and apply an equivalent banner. @@ -8972,52 +8972,52 @@ Additional options and sections may appear in the Run the following script to verify that the banner message is enabled and set: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pkgoutput=""
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
- done
- if [ -n "$l_pkgoutput" ]; then
+ {
+ l_pkgoutput=""
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
+ done
+ if [ -n "$l_pkgoutput" ]; then

- l_gdmprofile="gdm" # Set this to desired profile name IaW Local site policy
- l_bmessage="'Authorized uses only. All activity may be monitored and reported'" # Set to desired banner message
- if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
- echo "Creating profile \"$l_gdmprofile\""
- echo -e "user-db:user\nsystem-db:$l_gdmprofile\nfile-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
- fi
- if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
- echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
- mkdir /etc/dconf/db/$l_gdmprofile.d/
- fi
- if ! grep -Piq '^\h*banner-message-enable\h*=\h*true\b' /etc/dconf/db/$l_gdmprofile.d/*; then
- echo "creating gdm keyfile for machine-wide settings"
- if ! grep -Piq -- '^\h*banner-message-enable\h*=\h*' /etc/dconf/db/$l_gdmprofile.d/*; then
- l_kfile="/etc/dconf/db/$l_gdmprofile.d/01-banner-message"
- echo -e "\n[org/gnome/login-screen]\nbanner-message-enable=true" >> "$l_kfile"
- else
- l_kfile="$(grep -Pil -- '^\h*banner-message-enable\h*=\h*' /etc/dconf/db/$l_gdmprofile.d/*)"
- ! grep -Pq '^\h*\[org\/gnome\/login-screen\]' "$l_kfile" && sed -ri '/^\s*banner-message-enable/ i\[org/gnome/login-screen]' "$l_kfile"
- ! grep -Pq '^\h*banner-message-enable\h*=\h*true\b' "$l_kfile" && sed -ri 's/^\s*(banner-message-enable\s*=\s*)(\S+)(\s*.*$)/\1true \3//' "$l_kfile"
- # sed -ri '/^\s*\[org\/gnome\/login-screen\]/ a\\nbanner-message-enable=true' "$l_kfile"
- fi
- fi
- if ! grep -Piq "^\h*banner-message-text=[\'\"]+\S+" "$l_kfile"; then
- sed -ri "/^\s*banner-message-enable/ a\banner-message-text=$l_bmessage" "$l_kfile"
- fi
- dconf update
- else
- echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n - No remediation required\n"
- fi
-} - + l_gdmprofile="gdm" # Set this to desired profile name IaW Local site policy
+ l_bmessage="'Authorized uses only. All activity may be monitored and reported'" # Set to desired banner message
+ if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
+ echo "Creating profile \"$l_gdmprofile\""
+ echo -e "user-db:user\nsystem-db:$l_gdmprofile\nfile-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
+ fi
+ if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
+ echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
+ mkdir /etc/dconf/db/$l_gdmprofile.d/
+ fi
+ if ! grep -Piq '^\h*banner-message-enable\h*=\h*true\b' /etc/dconf/db/$l_gdmprofile.d/*; then
+ echo "creating gdm keyfile for machine-wide settings"
+ if ! grep -Piq -- '^\h*banner-message-enable\h*=\h*' /etc/dconf/db/$l_gdmprofile.d/*; then
+ l_kfile="/etc/dconf/db/$l_gdmprofile.d/01-banner-message"
+ echo -e "\n[org/gnome/login-screen]\nbanner-message-enable=true" >> "$l_kfile"
+ else
+ l_kfile="$(grep -Pil -- '^\h*banner-message-enable\h*=\h*' /etc/dconf/db/$l_gdmprofile.d/*)"
+ ! grep -Pq '^\h*\[org\/gnome\/login-screen\]' "$l_kfile" && sed -ri '/^\s*banner-message-enable/ i\[org/gnome/login-screen]' "$l_kfile"
+ ! grep -Pq '^\h*banner-message-enable\h*=\h*true\b' "$l_kfile" && sed -ri 's/^\s*(banner-message-enable\s*=\s*)(\S+)(\s*.*$)/\1true \3//' "$l_kfile"
+ # sed -ri '/^\s*\[org\/gnome\/login-screen\]/ a\\nbanner-message-enable=true' "$l_kfile"
+ fi
+ fi
+ if ! grep -Piq "^\h*banner-message-text=[\'\"]+\S+" "$l_kfile"; then
+ sed -ri "/^\s*banner-message-enable/ a\banner-message-text=$l_bmessage" "$l_kfile"
+ fi
+ dconf update
+ else
+ echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n - No remediation required\n"
+ fi
+ } + Note: @@ -9034,7 +9034,7 @@ Additional options and sections may appear in the Run the following command to remove the gdm package: # dnf remove gdm - + @@ -9053,8 +9053,8 @@ Additional options and sections may appear in the GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. -The disable-user-list - option controls if a list of users is displayed on the login screen + The disable-user-list + option controls if a list of users is displayed on the login screen @@ -9069,45 +9069,45 @@ The disable-user-list -Run the following script to enable the disable-user-list - option: + Run the following script to enable the disable-user-list + option: Note: - the l_gdm_profile - variable in the script can be changed if a different profile name is desired in accordance with local site policy. + the l_gdm_profile + variable in the script can be changed if a different profile name is desired in accordance with local site policy. -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_gdmprofile="gdm"
- if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
- echo "Creating profile \"$l_gdmprofile\""
- echo -e "user-db:user\nsystem-db:$l_gdmprofile\nfile-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
- fi
- if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
- echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
- mkdir /etc/dconf/db/$l_gdmprofile.d/
- fi
- if ! grep -Piq '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db/$l_gdmprofile.d/*; then
- echo "creating gdm keyfile for machine-wide settings"
- if ! grep -Piq -- '^\h*\[org\/gnome\/login-screen\]' /etc/dconf/db/$l_gdmprofile.d/*; then
- echo -e "\n[org/gnome/login-screen]\n# Do not show the user list\ndisable-user-list=true" >> /etc/dconf/db/$l_gdmprofile.d/00-login-screen
- else
- sed -ri '/^\s*\[org\/gnome\/login-screen\]/ a\# Do not show the user list\ndisable-user-list=true' $(grep -Pil -- '^\h*\[org\/gnome\/login-screen\]' /etc/dconf/db/$l_gdmprofile.d/*)
- fi
- fi
- dconf update
-} - + {
+ l_gdmprofile="gdm"
+ if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
+ echo "Creating profile \"$l_gdmprofile\""
+ echo -e "user-db:user\nsystem-db:$l_gdmprofile\nfile-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
+ fi
+ if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
+ echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
+ mkdir /etc/dconf/db/$l_gdmprofile.d/
+ fi
+ if ! grep -Piq '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db/$l_gdmprofile.d/*; then
+ echo "creating gdm keyfile for machine-wide settings"
+ if ! grep -Piq -- '^\h*\[org\/gnome\/login-screen\]' /etc/dconf/db/$l_gdmprofile.d/*; then
+ echo -e "\n[org/gnome/login-screen]\n# Do not show the user list\ndisable-user-list=true" >> /etc/dconf/db/$l_gdmprofile.d/00-login-screen
+ else
+ sed -ri '/^\s*\[org\/gnome\/login-screen\]/ a\# Do not show the user list\ndisable-user-list=true' $(grep -Pil -- '^\h*\[org\/gnome\/login-screen\]' /etc/dconf/db/$l_gdmprofile.d/*)
+ fi
+ fi
+ dconf update
+ } + Note: - When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied. + When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied. - OR - Run the following command to remove the GNOME package: # dnf remove gdm - + @@ -9128,28 +9128,28 @@ Run the following script to enable the idle-delay=uint32 {n} - - Number of seconds of inactivity before the screen goes blank + - Number of seconds of inactivity before the screen goes blank lock-delay=uint32 {n} - - Number of seconds after the screen is blank before locking the screen + - Number of seconds after the screen is blank before locking the screen Example key file: -# Specify the dconf path
-[org/gnome/desktop/session]
+ # Specify the dconf path
+ [org/gnome/desktop/session]

-# Number of seconds of inactivity before the screen goes blank
-# Set to 0 seconds if you want to deactivate the screensaver.
-idle-delay=uint32 900
+ # Number of seconds of inactivity before the screen goes blank
+ # Set to 0 seconds if you want to deactivate the screensaver.
+ idle-delay=uint32 900

-# Specify the dconf path
-[org/gnome/desktop/screensaver]
+ # Specify the dconf path
+ [org/gnome/desktop/screensaver]

-# Number of seconds after the screen is blank before locking the screen
-lock-delay=uint32 5 - + # Number of seconds after the screen is blank before locking the screen
+ lock-delay=uint32 5 + @@ -9179,68 +9179,68 @@ lock-delay=uint32 5 -Create or edit a file in the /etc/dconf/profile/ - and verify it includes the following: + Create or edit a file in the /etc/dconf/profile/ + and verify it includes the following: -user-db:user
-system-db:{NAME_OF_DCONF_DATABASE} - + user-db:user
+ system-db:{NAME_OF_DCONF_DATABASE} + Note: local - is the name of a dconf database used in the examples. + is the name of a dconf database used in the examples. Example: # echo -e '\nuser-db:user\nsystem-db:local' >> /etc/dconf/profile/user - + -Create the directory /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/ - if it doesn't already exist: + Create the directory /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/ + if it doesn't already exist: Example: # mkdir /etc/dconf/db/local.d - + -Create the key file /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/{FILE_NAME} - to provide information for the {NAME_OF_DCONF_DATABASE} - database: + Create the key file /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/{FILE_NAME} + to provide information for the {NAME_OF_DCONF_DATABASE} + database: Example script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_key_file="/etc/dconf/db/local.d/00-screensaver"
- l_idmv="900" # Set max value for idle-delay in seconds (between 1 and 900)
- l_ldmv="5" # Set max value for lock-delay in seconds (between 0 and 5)
- {
- echo '# Specify the dconf path'
- echo '[org/gnome/desktop/session]'
- echo ''
- echo '# Number of seconds of inactivity before the screen goes blank'
- echo '# Set to 0 seconds if you want to deactivate the screensaver.'
- echo "idle-delay=uint32 $l_idmv"
- echo ''
- echo '# Specify the dconf path'
- echo '[org/gnome/desktop/screensaver]'
- echo ''
- echo '# Number of seconds after the screen is blank before locking the screen'
- echo "lock-delay=uint32 $l_ldmv"
- } > "$l_key_file"
-} - + {
+ l_key_file="/etc/dconf/db/local.d/00-screensaver"
+ l_idmv="900" # Set max value for idle-delay in seconds (between 1 and 900)
+ l_ldmv="5" # Set max value for lock-delay in seconds (between 0 and 5)
+ {
+ echo '# Specify the dconf path'
+ echo '[org/gnome/desktop/session]'
+ echo ''
+ echo '# Number of seconds of inactivity before the screen goes blank'
+ echo '# Set to 0 seconds if you want to deactivate the screensaver.'
+ echo "idle-delay=uint32 $l_idmv"
+ echo ''
+ echo '# Specify the dconf path'
+ echo '[org/gnome/desktop/screensaver]'
+ echo ''
+ echo '# Number of seconds after the screen is blank before locking the screen'
+ echo "lock-delay=uint32 $l_ldmv"
+ } > "$l_key_file"
+ } + Note: - You must include the uint32 along with the integer key values as shown. + You must include the uint32 along with the integer key values as shown. Run the following command to update the system databases: # dconf update - + Note: - Users must log out and back in again before the system-wide settings take effect. + Users must log out and back in again before the system-wide settings take effect. @@ -9265,10 +9265,10 @@ Create the key file /etc/dconf/ Example Lock File: -# Lock desktop screensaver settings
-/org/gnome/desktop/session/idle-delay
-/org/gnome/desktop/screensaver/lock-delay - + # Lock desktop screensaver settings
+ /org/gnome/desktop/session/idle-delay
+ /org/gnome/desktop/screensaver/lock-delay + @@ -9301,67 +9301,67 @@ Create the key file /etc/dconf/ Run the following script to ensure screen locks cannot be overridden: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- # Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
- # determine system's package manager
- l_pkgoutput=""
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- # Check if GDM is installed
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
- done
- # Check configuration (If applicable)
- if [ -n "$l_pkgoutput" ]; then
- # Look for idle-delay to determine profile in use, needed for remaining tests
- l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
- # Look for lock-delay to determine profile in use, needed for remaining tests
- l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
- if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
- if grep -Prilq '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
- echo " - \"idle-delay\" is locked in \"$(grep -Pril '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
- else
- echo "creating entry to lock \"idle-delay\""
- [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
- {
- echo -e '\n# Lock desktop screensaver idle-delay setting'
- echo '/org/gnome/desktop/session/idle-delay'
- } >> "$l_kfd"/locks/00-screensaver
- fi
- else
- echo -e " - \"idle-delay\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
- fi
- if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
- if grep -Prilq '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
- echo " - \"lock-delay\" is locked in \"$(grep -Pril '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
- else
- echo "creating entry to lock \"lock-delay\""
- [ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
- {
- echo -e '\n# Lock desktop screensaver lock-delay setting'
- echo '/org/gnome/desktop/screensaver/lock-delay'
- } >> "$l_kfd2"/locks/00-screensaver
- fi
- else
- echo -e " - \"lock-delay\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
- fi
- else
- echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
- fi
-} - + {
+ # Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
+ # determine system's package manager
+ l_pkgoutput=""
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ # Check if GDM is installed
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
+ done
+ # Check configuration (If applicable)
+ if [ -n "$l_pkgoutput" ]; then
+ # Look for idle-delay to determine profile in use, needed for remaining tests
+ l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
+ # Look for lock-delay to determine profile in use, needed for remaining tests
+ l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
+ if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
+ if grep -Prilq '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
+ echo " - \"idle-delay\" is locked in \"$(grep -Pril '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
+ else
+ echo "creating entry to lock \"idle-delay\""
+ [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
+ {
+ echo -e '\n# Lock desktop screensaver idle-delay setting'
+ echo '/org/gnome/desktop/session/idle-delay'
+ } >> "$l_kfd"/locks/00-screensaver
+ fi
+ else
+ echo -e " - \"idle-delay\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
+ fi
+ if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
+ if grep -Prilq '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
+ echo " - \"lock-delay\" is locked in \"$(grep -Pril '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
+ else
+ echo "creating entry to lock \"lock-delay\""
+ [ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
+ {
+ echo -e '\n# Lock desktop screensaver lock-delay setting'
+ echo '/org/gnome/desktop/screensaver/lock-delay'
+ } >> "$l_kfd2"/locks/00-screensaver
+ fi
+ else
+ echo -e " - \"lock-delay\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
+ fi
+ else
+ echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+ fi
+ } + Run the following command to update the system databases: # dconf update - + Note: - Users must log out and back in again before the system-wide settings take effect. + Users must log out and back in again before the system-wide settings take effect. @@ -9409,98 +9409,98 @@ Create the key file /etc/dconf/ Run the following script to disable automatic mounting of media for all GNOME users: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pkgoutput=""
- l_gpname="local" # Set to desired dconf profile name (default is local)
- # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
- # determine system's package manager
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- # Check if GDM is installed
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
- done
- # Check configuration (If applicable)
- if [ -n "$l_pkgoutput" ]; then
- echo -e "$l_pkgoutput"
- # Look for existing settings and set variables if they exist
- l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
- l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
- # Set profile name based on dconf db directory ({PROFILE_NAME}.d)
- if [ -f "$l_kfile" ]; then
- l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
- echo " - updating dconf profile name to \"$l_gpname\""
- elif [ -f "$l_kfile2" ]; then
- l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
- echo " - updating dconf profile name to \"$l_gpname\""
- fi
- # check for consistency (Clean up configuration if needed)
- if [ -f "$l_kfile" ] && [ "$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" != "$l_gpname" ]; then
- sed -ri "/^\s*automount\s*=/s/^/# /" "$l_kfile"
- l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
- fi
- if [ -f "$l_kfile2" ] && [ "$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")" != "$l_gpname" ]; then
- sed -ri "/^\s*automount-open\s*=/s/^/# /" "$l_kfile2"
- fi
- [ -z "$l_kfile" ] && l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
- # Check if profile file exists
- if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
- echo -e "\n - dconf database profile exists in: \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\""
- else
- if [ ! -f "/etc/dconf/profile/user" ]; then
- l_gpfile="/etc/dconf/profile/user"
- else
- l_gpfile="/etc/dconf/profile/user2"
- fi
- echo -e " - creating dconf database profile"
- {
- echo -e "\nuser-db:user"
- echo "system-db:$l_gpname"
- } >> "$l_gpfile"
- fi
- # create dconf directory if it doesn't exists
- l_gpdir="/etc/dconf/db/$l_gpname.d"
- if [ -d "$l_gpdir" ]; then
- echo " - The dconf database directory \"$l_gpdir\" exists"
- else
- echo " - creating dconf database directory \"$l_gpdir\""
- mkdir "$l_gpdir"
- fi
- # check automount-open setting
- if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile"; then
- echo " - \"automount-open\" is set to false in: \"$l_kfile\""
- else
- echo " - creating \"automount-open\" entry in \"$l_kfile\""
- ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
- sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautomount-open=false' "$l_kfile"
- fi
- # check automount setting
- if grep -Pqs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
- echo " - \"automount\" is set to false in: \"$l_kfile\""
- else
- echo " - creating \"automount\" entry in \"$l_kfile\""
- ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
- sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautomount=false' "$l_kfile"
- fi
- # update dconf database
- dconf update
- else
- echo -e "\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
- fi
-} - + {
+ l_pkgoutput=""
+ l_gpname="local" # Set to desired dconf profile name (default is local)
+ # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
+ # determine system's package manager
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ # Check if GDM is installed
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
+ done
+ # Check configuration (If applicable)
+ if [ -n "$l_pkgoutput" ]; then
+ echo -e "$l_pkgoutput"
+ # Look for existing settings and set variables if they exist
+ l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
+ l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
+ # Set profile name based on dconf db directory ({PROFILE_NAME}.d)
+ if [ -f "$l_kfile" ]; then
+ l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
+ echo " - updating dconf profile name to \"$l_gpname\""
+ elif [ -f "$l_kfile2" ]; then
+ l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
+ echo " - updating dconf profile name to \"$l_gpname\""
+ fi
+ # check for consistency (Clean up configuration if needed)
+ if [ -f "$l_kfile" ] && [ "$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" != "$l_gpname" ]; then
+ sed -ri "/^\s*automount\s*=/s/^/# /" "$l_kfile"
+ l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
+ fi
+ if [ -f "$l_kfile2" ] && [ "$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")" != "$l_gpname" ]; then
+ sed -ri "/^\s*automount-open\s*=/s/^/# /" "$l_kfile2"
+ fi
+ [ -z "$l_kfile" ] && l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
+ # Check if profile file exists
+ if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
+ echo -e "\n - dconf database profile exists in: \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\""
+ else
+ if [ ! -f "/etc/dconf/profile/user" ]; then
+ l_gpfile="/etc/dconf/profile/user"
+ else
+ l_gpfile="/etc/dconf/profile/user2"
+ fi
+ echo -e " - creating dconf database profile"
+ {
+ echo -e "\nuser-db:user"
+ echo "system-db:$l_gpname"
+ } >> "$l_gpfile"
+ fi
+ # create dconf directory if it doesn't exists
+ l_gpdir="/etc/dconf/db/$l_gpname.d"
+ if [ -d "$l_gpdir" ]; then
+ echo " - The dconf database directory \"$l_gpdir\" exists"
+ else
+ echo " - creating dconf database directory \"$l_gpdir\""
+ mkdir "$l_gpdir"
+ fi
+ # check automount-open setting
+ if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile"; then
+ echo " - \"automount-open\" is set to false in: \"$l_kfile\""
+ else
+ echo " - creating \"automount-open\" entry in \"$l_kfile\""
+ ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
+ sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautomount-open=false' "$l_kfile"
+ fi
+ # check automount setting
+ if grep -Pqs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
+ echo " - \"automount\" is set to false in: \"$l_kfile\""
+ else
+ echo " - creating \"automount\" entry in \"$l_kfile\""
+ ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
+ sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautomount=false' "$l_kfile"
+ fi
+ # update dconf database
+ dconf update
+ else
+ echo -e "\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+ fi
+ } + - OR - Run the following command to uninstall the GNOME desktop Manager package: # dnf remove gdm - + Impact: The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting. @@ -9528,10 +9528,10 @@ Create the key file /etc/dconf/ Example Lock File: -# Lock automount settings
-/org/gnome/desktop/media-handling/automount
-/org/gnome/desktop/media-handling/automount-open - + # Lock automount settings
+ /org/gnome/desktop/media-handling/automount
+ /org/gnome/desktop/media-handling/automount-open + @@ -9562,63 +9562,63 @@ Create the key file /etc/dconf/ Run the following script to lock disable automatic mounting of media for all GNOME users: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- # Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
- # determine system's package manager
- l_pkgoutput=""
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- # Check if GDM is installed
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
- done
- # Check configuration (If applicable)
- if [ -n "$l_pkgoutput" ]; then
- # Look for automount to determine profile in use, needed for remaining tests
- l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
- # Look for automount-open to determine profile in use, needed for remaining tests
- l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
- if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
- if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
- echo " - \"automount\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
- else
- echo " - creating entry to lock \"automount\""
- [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
- {
- echo -e '\n# Lock desktop media-handling automount setting'
- echo '/org/gnome/desktop/media-handling/automount'
- } >> "$l_kfd"/locks/00-media-automount
- fi
- else
- echo -e " - \"automount\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
- fi
- if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
- if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
- echo " - \"automount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
- else
- echo " - creating entry to lock \"automount-open\""
- [ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
- {
- echo -e '\n# Lock desktop media-handling automount-open setting'
- echo '/org/gnome/desktop/media-handling/automount-open'
- } >> "$l_kfd2"/locks/00-media-automount
- fi
- else
- echo -e " - \"automount-open\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
- fi
- # update dconf database
- dconf update
- else
- echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
- fi
-} - + {
+ # Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
+ # determine system's package manager
+ l_pkgoutput=""
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ # Check if GDM is installed
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
+ done
+ # Check configuration (If applicable)
+ if [ -n "$l_pkgoutput" ]; then
+ # Look for automount to determine profile in use, needed for remaining tests
+ l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
+ # Look for automount-open to determine profile in use, needed for remaining tests
+ l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
+ if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
+ if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
+ echo " - \"automount\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
+ else
+ echo " - creating entry to lock \"automount\""
+ [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
+ {
+ echo -e '\n# Lock desktop media-handling automount setting'
+ echo '/org/gnome/desktop/media-handling/automount'
+ } >> "$l_kfd"/locks/00-media-automount
+ fi
+ else
+ echo -e " - \"automount\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
+ fi
+ if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
+ if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
+ echo " - \"automount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
+ else
+ echo " - creating entry to lock \"automount-open\""
+ [ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
+ {
+ echo -e '\n# Lock desktop media-handling automount-open setting'
+ echo '/org/gnome/desktop/media-handling/automount-open'
+ } >> "$l_kfd2"/locks/00-media-automount
+ fi
+ else
+ echo -e " - \"automount-open\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
+ fi
+ # update dconf database
+ dconf update
+ else
+ echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+ fi
+ } + Impact: The use of portable hard drives is very common for workstation users @@ -9640,8 +9640,8 @@ Create the key file /etc/dconf/ Ensure GDM autorun-never is enabled -The autorun-never - setting allows the GNOME Desktop Display Manager to disable autorun through GDM. + The autorun-never + setting allows the GNOME Desktop Display Manager to disable autorun through GDM. @@ -9670,77 +9670,77 @@ The autorun-never -Run the following script to set autorun-never - to true - for GDM users: + Run the following script to set autorun-never + to true + for GDM users: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pkgoutput="" l_output="" l_output2=""
- l_gpname="local" # Set to desired dconf profile name (default is local)
- # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
- # determine system's package manager
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- # Check if GDM is installed
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
- done
- echo -e "$l_pkgoutput"
- # Check configuration (If applicable)
- if [ -n "$l_pkgoutput" ]; then
- echo -e "$l_pkgoutput"
- # Look for existing settings and set variables if they exist
- l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
- # Set profile name based on dconf db directory ({PROFILE_NAME}.d)
- if [ -f "$l_kfile" ]; then
- l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
- echo " - updating dconf profile name to \"$l_gpname\""
- fi
- [ ! -f "$l_kfile" ] && l_kfile="/etc/dconf/db/$l_gpname.d/00-media-autorun"
- # Check if profile file exists
- if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
- echo -e "\n - dconf database profile exists in: \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\""
- else
- [ ! -f "/etc/dconf/profile/user" ] && l_gpfile="/etc/dconf/profile/user" || l_gpfile="/etc/dconf/profile/user2"
- echo -e " - creating dconf database profile"
- {
- echo -e "\nuser-db:user"
- echo "system-db:$l_gpname"
- } >> "$l_gpfile"
- fi
- # create dconf directory if it doesn't exists
- l_gpdir="/etc/dconf/db/$l_gpname.d"
- if [ -d "$l_gpdir" ]; then
- echo " - The dconf database directory \"$l_gpdir\" exists"
- else
- echo " - creating dconf database directory \"$l_gpdir\""
- mkdir "$l_gpdir"
- fi
- # check autorun-never setting
- if grep -Pqs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
- echo " - \"autorun-never\" is set to true in: \"$l_kfile\""
- else
- echo " - creating or updating \"autorun-never\" entry in \"$l_kfile\""
- if grep -Psq -- '^\h*autorun-never' "$l_kfile"; then
- sed -ri 's/(^\s*autorun-never\s*=\s*)(\S+)(\s*.*)$/\1true \3/' "$l_kfile"
- else
- ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
- sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautorun-never=true' "$l_kfile"
- fi
- fi
- else
- echo -e "\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
- fi
- # update dconf database
- dconf update
-} - + {
+ l_pkgoutput="" l_output="" l_output2=""
+ l_gpname="local" # Set to desired dconf profile name (default is local)
+ # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
+ # determine system's package manager
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ # Check if GDM is installed
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
+ done
+ echo -e "$l_pkgoutput"
+ # Check configuration (If applicable)
+ if [ -n "$l_pkgoutput" ]; then
+ echo -e "$l_pkgoutput"
+ # Look for existing settings and set variables if they exist
+ l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
+ # Set profile name based on dconf db directory ({PROFILE_NAME}.d)
+ if [ -f "$l_kfile" ]; then
+ l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
+ echo " - updating dconf profile name to \"$l_gpname\""
+ fi
+ [ ! -f "$l_kfile" ] && l_kfile="/etc/dconf/db/$l_gpname.d/00-media-autorun"
+ # Check if profile file exists
+ if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
+ echo -e "\n - dconf database profile exists in: \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\""
+ else
+ [ ! -f "/etc/dconf/profile/user" ] && l_gpfile="/etc/dconf/profile/user" || l_gpfile="/etc/dconf/profile/user2"
+ echo -e " - creating dconf database profile"
+ {
+ echo -e "\nuser-db:user"
+ echo "system-db:$l_gpname"
+ } >> "$l_gpfile"
+ fi
+ # create dconf directory if it doesn't exists
+ l_gpdir="/etc/dconf/db/$l_gpname.d"
+ if [ -d "$l_gpdir" ]; then
+ echo " - The dconf database directory \"$l_gpdir\" exists"
+ else
+ echo " - creating dconf database directory \"$l_gpdir\""
+ mkdir "$l_gpdir"
+ fi
+ # check autorun-never setting
+ if grep -Pqs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
+ echo " - \"autorun-never\" is set to true in: \"$l_kfile\""
+ else
+ echo " - creating or updating \"autorun-never\" entry in \"$l_kfile\""
+ if grep -Psq -- '^\h*autorun-never' "$l_kfile"; then
+ sed -ri 's/(^\s*autorun-never\s*=\s*)(\S+)(\s*.*)$/\1true \3/' "$l_kfile"
+ else
+ ! grep -Psq -- '\^\h*\[org\/gnome\/desktop\/media-handling\]\b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
+ sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a \\nautorun-never=true' "$l_kfile"
+ fi
+ fi
+ else
+ echo -e "\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+ fi
+ # update dconf database
+ dconf update
+ } + @@ -9762,9 +9762,9 @@ Run the following script to set To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory. Example Lock File: -# Lock desktop media-handling settings
-/org/gnome/desktop/media-handling/autorun-never - + # Lock desktop media-handling settings
+ /org/gnome/desktop/media-handling/autorun-never + @@ -9793,50 +9793,50 @@ Run the following script to set -Run the following script to ensure that autorun-never=true - cannot be overridden: + Run the following script to ensure that autorun-never=true + cannot be overridden: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
- # determine system's package manager
- l_pkgoutput=""
- if command -v dpkg-query > /dev/null 2>&1; then
- l_pq="dpkg-query -W"
- elif command -v rpm > /dev/null 2>&1; then
- l_pq="rpm -q"
- fi
- # Check if GDM is installed
- l_pcl="gdm gdm3" # Space separated list of packages to check
- for l_pn in $l_pcl; do
- $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
- done
- # Check configuration (If applicable)
- if [ -n "$l_pkgoutput" ]; then
- # Look for autorun to determine profile in use, needed for remaining tests
- l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
- if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
- if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
- echo " - \"autorun-never\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
- else
- echo " - creating entry to lock \"autorun-never\""
- [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
- {
- echo -e '\n# Lock desktop media-handling autorun-never setting'
- echo '/org/gnome/desktop/media-handling/autorun-never'
- } >> "$l_kfd"/locks/00-media-autorun
- fi
- else
- echo -e " - \"autorun-never\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM autorun-never is enabled\" and follow this Recommendation again"
- fi
- # update dconf database
- dconf update
- else
- echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
- fi
-} - + {
+ # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
+ # determine system's package manager
+ l_pkgoutput=""
+ if command -v dpkg-query > /dev/null 2>&1; then
+ l_pq="dpkg-query -W"
+ elif command -v rpm > /dev/null 2>&1; then
+ l_pq="rpm -q"
+ fi
+ # Check if GDM is installed
+ l_pcl="gdm gdm3" # Space separated list of packages to check
+ for l_pn in $l_pcl; do
+ $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
+ done
+ # Check configuration (If applicable)
+ if [ -n "$l_pkgoutput" ]; then
+ # Look for autorun to determine profile in use, needed for remaining tests
+ l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
+ if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
+ if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
+ echo " - \"autorun-never\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
+ else
+ echo " - creating entry to lock \"autorun-never\""
+ [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
+ {
+ echo -e '\n# Lock desktop media-handling autorun-never setting'
+ echo '/org/gnome/desktop/media-handling/autorun-never'
+ } >> "$l_kfd"/locks/00-media-autorun
+ fi
+ else
+ echo -e " - \"autorun-never\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM autorun-never is enabled\" and follow this Recommendation again"
+ fi
+ # update dconf database
+ dconf update
+ else
+ echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+ fi
+ } + @@ -9886,10 +9886,10 @@ Run the following script to ensure that /etc/gdm/custom.conf - and remove the line: + Edit the file /etc/gdm/custom.conf + and remove the line: Enable=true - + @@ -9912,7 +9912,7 @@ Edit the file /etc/gdm/custom.c This section describes services that are installed on systems that specifically need to run these services. If any of these services are not required, it is recommended that the package be removed. - IF - - the package is required for a dependency: + the package is required for a dependency: Ensure the dependent package is approved by local site policy Ensure stopping and masking the service and/or socket meets local site policy @@ -9920,19 +9920,19 @@ Edit the file /etc/gdm/custom.c The following commands can be used to stop and mask the service and socket: -# systemctl stop <service_name>.socket <service_name>.service
-# systemctl mask <service_name>.socket <service_name>.service - + # systemctl stop <service_name>.socket <service_name>.service
+ # systemctl mask <service_name>.socket <service_name>.service + Note: - This should not be considered a comprehensive list of services not required for normal system operation. You may wish to consider additions to those listed here for your environment + This should not be considered a comprehensive list of services not required for normal system operation. You may wish to consider additions to those listed here for your environment Ensure autofs services are not in use autofs - allows automatic mounting of devices, typically including CD/DVDs and USB drives. + allows automatic mounting of devices, typically including CD/DVDs and USB drives. @@ -9965,40 +9965,40 @@ Edit the file /etc/gdm/custom.c -Run the following commands to stop autofs.service - and remove autofs - package: + Run the following commands to stop autofs.service + and remove autofs + package: -# systemctl stop autofs.service
-# dnf remove autofs - + # systemctl stop autofs.service
+ # dnf remove autofs + - OR - - IF - - the autofs - package is required as a dependency: + the autofs + package is required as a dependency: -Run the following commands to stop and mask autofs.service -: + Run the following commands to stop and mask autofs.service + : -# systemctl stop autofs.service
-# systemctl mask autofs.service - + # systemctl stop autofs.service
+ # systemctl mask autofs.service + Impact: The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting. -There may be packages that are dependent on the autofs - package. If the autofs - package is removed, these dependent packages will be removed as well. Before removing the autofs - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the autofs + package. If the autofs + package is removed, these dependent packages will be removed as well. Before removing the autofs + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the autofs.service - leaving the autofs - package installed. + a dependent package is required: stop and mask the autofs.service + leaving the autofs + package installed. @@ -10052,42 +10052,42 @@ There may be packages that are dependent on the -Run the following commands to stop avahi-daemon.socket - and avahi-daemon.service -, and remove the avahi - package: + Run the following commands to stop avahi-daemon.socket + and avahi-daemon.service + , and remove the avahi + package: -# systemctl stop avahi-daemon.socket avahi-daemon.service
-# dnf remove avahi - + # systemctl stop avahi-daemon.socket avahi-daemon.service
+ # dnf remove avahi + - OR - - IF - - the avahi - package is required as a dependency: + the avahi + package is required as a dependency: -Run the following commands to stop and mask the avahi-daemon.socket - and avahi-daemon.service -: + Run the following commands to stop and mask the avahi-daemon.socket + and avahi-daemon.service + : -# systemctl stop avahi-daemon.socket avahi-daemon.service
-# systemctl mask avahi-daemon.socket avahi-daemon.service - + # systemctl stop avahi-daemon.socket avahi-daemon.service
+ # systemctl mask avahi-daemon.socket avahi-daemon.service + Impact: -There may be packages that are dependent on the avahi - package. If the avahi - package is removed, these dependent packages will be removed as well. Before removing the avahi - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the avahi + package. If the avahi + package is removed, these dependent packages will be removed as well. Before removing the avahi + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the avahi-daemon.socket - and avahi-daemon.service - leaving the avahi - package installed. + a dependent package is required: stop and mask the avahi-daemon.socket + and avahi-daemon.service + leaving the avahi + package installed. @@ -10124,11 +10124,11 @@ There may be packages that are dependent on the Ensure dhcp server services are not in use -The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. There are two versions of the DHCP protocol DHCPv4 - and DHCPv6 -. At startup the server may be started for one or the other via the -4 - or -6 - arguments. + The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. There are two versions of the DHCP protocol DHCPv4 + and DHCPv6 + . At startup the server may be started for one or the other via the -4 + or -6 + arguments. @@ -10150,8 +10150,8 @@ The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines -Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server - package be removed to reduce the potential attack surface. + Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server + package be removed to reduce the potential attack surface. @@ -10161,42 +10161,42 @@ Unless a system is specifically set up to act as a DHCP server, it is recommende -Run the following commands to stop dhcpd.service - and dhcpd6.service - and remove dhcp-server - package: + Run the following commands to stop dhcpd.service + and dhcpd6.service + and remove dhcp-server + package: -# systemctl stop dhcpd.service dhcpd6.service
-# dnf remove dhcp-server - + # systemctl stop dhcpd.service dhcpd6.service
+ # dnf remove dhcp-server + - OR - - IF - - the dhcp-server - package is required as a dependency: + the dhcp-server + package is required as a dependency: -Run the following commands to stop and mask dhcpd.service - and dhcpd6.service -: + Run the following commands to stop and mask dhcpd.service + and dhcpd6.service + : -# systemctl stop dhcpd.service dhcpd6.service
-# systemctl mask dhcpd.service dhcpd6.service - + # systemctl stop dhcpd.service dhcpd6.service
+ # systemctl mask dhcpd.service dhcpd6.service + Impact: -There may be packages that are dependent on the dhcp-server - package. If the dhcp-server - package is removed, these dependent packages will be removed as well. Before removing the dhcp-server - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the dhcp-server + package. If the dhcp-server + package is removed, these dependent packages will be removed as well. Before removing the dhcp-server + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the dhcpd.service - and dhcpd6.service - leaving the dhcp-server - package installed. + a dependent package is required: stop and mask the dhcpd.service + and dhcpd6.service + leaving the dhcp-server + package installed. @@ -10262,39 +10262,39 @@ There may be packages that are dependent on the -Run the following commands to stop named.service - and remove bind - package: + Run the following commands to stop named.service + and remove bind + package: -# systemctl stop named.service
-# dnf remove bind - + # systemctl stop named.service
+ # dnf remove bind + - OR - - IF - - the bind - package is required as a dependency: + the bind + package is required as a dependency: -Run the following commands to stop and mask named.service -: + Run the following commands to stop and mask named.service + : -# systemctl stop named.service
-# systemctl mask named.service - + # systemctl stop named.service
+ # systemctl mask named.service + Impact: -There may be packages that are dependent on the bind - package. If the bind - package is removed, these dependent packages will be removed as well. Before removing the bind - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the bind + package. If the bind + package is removed, these dependent packages will be removed as well. Before removing the bind + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the named.service - leaving the bind - package installed. + a dependent package is required: stop and mask the named.service + leaving the bind + package installed. @@ -10320,7 +10320,7 @@ There may be packages that are dependent on the dnsmasq - is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services. + is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services. @@ -10350,39 +10350,39 @@ There may be packages that are dependent on the -Run the following commands to stop dnsmasq.service - and remove dnsmasq - package: + Run the following commands to stop dnsmasq.service + and remove dnsmasq + package: -# systemctl stop dnsmasq.service
-# dnf remove dnsmasq - + # systemctl stop dnsmasq.service
+ # dnf remove dnsmasq + - OR - - IF - - the dnsmasq - package is required as a dependency: + the dnsmasq + package is required as a dependency: -Run the following commands to stop and mask the dnsmasq.service -: + Run the following commands to stop and mask the dnsmasq.service + : -# systemctl stop dnsmasq.service
-# systemctl mask dnsmasq.service - + # systemctl stop dnsmasq.service
+ # systemctl mask dnsmasq.service + Impact: -There may be packages that are dependent on the dnsmasq - package. If the dnsmasq - package is removed, these dependent packages will be removed as well. Before removing the dnsmasq - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the dnsmasq + package. If the dnsmasq + package is removed, these dependent packages will be removed as well. Before removing the dnsmasq + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the dnsmasq.service - leaving the dnsmasq - package installed. + a dependent package is required: stop and mask the dnsmasq.service + leaving the dnsmasq + package installed. @@ -10436,39 +10436,39 @@ There may be packages that are dependent on the -Run the following command to stop smb.service - and remove samba - package: + Run the following command to stop smb.service + and remove samba + package: -# systemctl stop smb.service
-# dnf remove samba - + # systemctl stop smb.service
+ # dnf remove samba + - OR - - IF - - the samba - package is required as a dependency: + the samba + package is required as a dependency: -Run the following commands to stop and mask the smb.service -: + Run the following commands to stop and mask the smb.service + : -# systemctl stop smb.service
-# systemctl mask smb.service - + # systemctl stop smb.service
+ # systemctl mask smb.service + Impact: -There may be packages that are dependent on the samba - package. If the samba - package is removed, these dependent packages will be removed as well. Before removing the samba - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the samba + package. If the samba + package is removed, these dependent packages will be removed as well. Before removing the samba + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the smb.service - leaving the samba - package installed. + a dependent package is required: stop and mask the smb.service + leaving the samba + package installed. @@ -10522,42 +10522,42 @@ There may be packages that are dependent on the -Run the following commands to stop vsftpd.service - and remove vsftpd - package: + Run the following commands to stop vsftpd.service + and remove vsftpd + package: -# systemctl stop vsftpd.service
-# dnf remove vsftpd - + # systemctl stop vsftpd.service
+ # dnf remove vsftpd + - OR - - IF - - the vsftpd - package is required as a dependency: + the vsftpd + package is required as a dependency: -Run the following commands to stop and mask the vsftpd.service -: + Run the following commands to stop and mask the vsftpd.service + : -# systemctl stop vsftpd.service
-# systemctl mask vsftpd.service - + # systemctl stop vsftpd.service
+ # systemctl mask vsftpd.service + Note: - Other ftp server packages may exist. If not required and authorized by local site policy, they should also be removed. If the package is required for a dependency, the service should be stopped and masked. + Other ftp server packages may exist. If not required and authorized by local site policy, they should also be removed. If the package is required for a dependency, the service should be stopped and masked. Impact: -There may be packages that are dependent on the vsftpd - package. If the vsftpd - package is removed, these dependent packages will be removed as well. Before removing the vsftpd - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the vsftpd + package. If the vsftpd + package is removed, these dependent packages will be removed as well. Before removing the vsftpd + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the vsftpd.service - leaving the vsftpd - package installed. + a dependent package is required: stop and mask the vsftpd.service + leaving the vsftpd + package installed. @@ -10583,8 +10583,8 @@ There may be packages that are dependent on the dovecot - and cyrus-imapd - are open source IMAP and POP3 server packages for Linux based systems. + and cyrus-imapd + are open source IMAP and POP3 server packages for Linux based systems. @@ -10608,7 +10608,7 @@ There may be packages that are dependent on the Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: - Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required. + Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required. @@ -10617,50 +10617,50 @@ There may be packages that are dependent on the -Run the following commands to stop dovecot.socket -, dovecot.service -, and cyrus-imapd.service -, and remove dovecot - and cyrus-imapd - packages: + Run the following commands to stop dovecot.socket + , dovecot.service + , and cyrus-imapd.service + , and remove dovecot + and cyrus-imapd + packages: -# systemctl stop dovecot.socket dovecot.service cyrus-imapd.service
-# dnf remove dovecot cyrus-imapd - + # systemctl stop dovecot.socket dovecot.service cyrus-imapd.service
+ # dnf remove dovecot cyrus-imapd + - OR - - IF - - a package is installed and - is required for dependencies: + a package is installed and + is required for dependencies: -Run the following commands to stop and mask dovecot.socket -, dovecot.service -, and cyrus-imapd.service -: + Run the following commands to stop and mask dovecot.socket + , dovecot.service + , and cyrus-imapd.service + : -# systemctl stop dovecot.socket dovecot.service cyrus-imapd.service
-# systemctl mask dovecot.socket dovecot.service cyrus-imapd.service - + # systemctl stop dovecot.socket dovecot.service cyrus-imapd.service
+ # systemctl mask dovecot.socket dovecot.service cyrus-imapd.service + Impact: -There may be packages that are dependent on dovecot - and cyrus-imapd - packages. If dovecot - and cyrus-imapd - packages are removed, these dependent packages will be removed as well. Before removing dovecot - and cyrus-imapd - packages, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on dovecot + and cyrus-imapd + packages. If dovecot + and cyrus-imapd + packages are removed, these dependent packages will be removed as well. Before removing dovecot + and cyrus-imapd + packages, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask dovecot.socket -, dovecot.service - and cyrus-imapd.service - leaving dovecot - and cyrus-imapd - packages installed. + a dependent package is required: stop and mask dovecot.socket + , dovecot.service + and cyrus-imapd.service + leaving dovecot + and cyrus-imapd + packages installed. @@ -10738,8 +10738,8 @@ There may be packages that are dependent on -If the system does not require access to network shares or the ability to provide network file system services for other host's network shares, it is recommended that the nfs-utils - package be removed to reduce the attack surface of the system. + If the system does not require access to network shares or the ability to provide network file system services for other host's network shares, it is recommended that the nfs-utils + package be removed to reduce the attack surface of the system. @@ -10748,40 +10748,40 @@ If the system does not require access to network shares or the ability to provid -Run the following command to stop nfs-server.service - and remove nfs-utils - package: + Run the following command to stop nfs-server.service + and remove nfs-utils + package: -# systemctl stop nfs-server.service
-# dnf remove nfs-utils - + # systemctl stop nfs-server.service
+ # dnf remove nfs-utils + - OR - - IF - - the nfs-utils - package is required as a dependency: + the nfs-utils + package is required as a dependency: -Run the following commands to stop and mask the nfs-server.service -: + Run the following commands to stop and mask the nfs-server.service + : -# systemctl stop nfs-server.service
-# systemctl mask nfs-server.service - + # systemctl stop nfs-server.service
+ # systemctl mask nfs-server.service + Impact: -Many of the libvirt - packages used by Enterprise Linux virtualization are dependent on the nfs-utils - package. If the nfs-utils - package is removed, these dependent packages will be removed as well. Before removing the nfs-utils - package, review any dependent packages to determine if they are required on the system. + Many of the libvirt + packages used by Enterprise Linux virtualization are dependent on the nfs-utils + package. If the nfs-utils + package is removed, these dependent packages will be removed as well. Before removing the nfs-utils + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the nfs-server.service - leaving the nfs-utils - package installed. + a dependent package is required: stop and mask the nfs-server.service + leaving the nfs-utils + package installed. @@ -10806,8 +10806,8 @@ Many of the libvirtEnsure nis server services are not in use -The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind - ) was used to bind a machine to an NIS server and receive the distributed configuration files. + The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind + ) was used to bind a machine to an NIS server and receive the distributed configuration files. @@ -10837,39 +10837,39 @@ The Network Information Service (NIS), formerly known as Yellow Pages, is a clie -Run the following commands to stop ypserv.service - and remove ypserv - package: + Run the following commands to stop ypserv.service + and remove ypserv + package: -# systemctl stop ypserv.service
-# dnf remove ypserv - + # systemctl stop ypserv.service
+ # dnf remove ypserv + - OR - - IF - - the ypserv - package is required as a dependency: + the ypserv + package is required as a dependency: -Run the following commands to stop and mask ypserv.service -: + Run the following commands to stop and mask ypserv.service + : -# systemctl stop ypserv.service
-# systemctl mask ypserv.service - + # systemctl stop ypserv.service
+ # systemctl mask ypserv.service + Impact: -There may be packages that are dependent on the ypserv - package. If the ypserv - package is removed, these dependent packages will be removed as well. Before removing the ypserv - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the ypserv + package. If the ypserv + package is removed, these dependent packages will be removed as well. Before removing the ypserv + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the ypserv.service - leaving the ypserv - package installed. + a dependent package is required: stop and mask the ypserv.service + leaving the ypserv + package installed. @@ -10924,46 +10924,46 @@ There may be packages that are dependent on the -Run the following commands to stop cups.socket - and cups.service -, and remove the cups - package: + Run the following commands to stop cups.socket + and cups.service + , and remove the cups + package: -# systemctl stop cups.socket cups.service
-# dnf remove cups - + # systemctl stop cups.socket cups.service
+ # dnf remove cups + - OR - - IF - - the cups - package is required as a dependency: + the cups + package is required as a dependency: -Run the following commands to stop and mask the cups.socket - and cups.service -: + Run the following commands to stop and mask the cups.socket + and cups.service + : -# systemctl stop cups.socket cups.service
-# systemctl mask cups.socket cups.service - + # systemctl stop cups.socket cups.service
+ # systemctl mask cups.socket cups.service + Impact: -Removing the cups package, or disabling cups.socket - and/or cups.service - will prevent printing from the system, a common task for workstation systems. + Removing the cups package, or disabling cups.socket + and/or cups.service + will prevent printing from the system, a common task for workstation systems. -There may be packages that are dependent on the cups - package. If the cups - package is removed, these dependent packages will be removed as well. Before removing the cups - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the cups + package. If the cups + package is removed, these dependent packages will be removed as well. Before removing the cups + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask cups.socket - and cups.service - leaving the cups - package installed. + a dependent package is required: stop and mask cups.socket + and cups.service + leaving the cups + package installed. @@ -11000,11 +11000,11 @@ There may be packages that are dependent on the Ensure rpcbind services are not in use -The rpcbind - utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind - when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind - on the server with a particular RPC program number. The rpcbind.service - redirects the client to the proper port number so it can communicate with the requested service. + The rpcbind + utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind + when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind + on the server with a particular RPC program number. The rpcbind.service + redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening. @@ -11027,9 +11027,9 @@ The rpcbind -A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind - is not required, it is recommended to remove rpcbind - package to reduce the potential attack surface. + A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind + is not required, it is recommended to remove rpcbind + package to reduce the potential attack surface. @@ -11038,43 +11038,43 @@ A small request (~82 bytes via UDP) sent to the Portmapper generates a large res -Run the following commands to stop rpcbind.socket - and rpcbind.service -, and remove the rpcbind - package: + Run the following commands to stop rpcbind.socket + and rpcbind.service + , and remove the rpcbind + package: -# systemctl stop rpcbind.socket rpcbind.service
-# dnf remove rpcbind - + # systemctl stop rpcbind.socket rpcbind.service
+ # dnf remove rpcbind + - OR - - IF - - the rpcbind - package is required as a dependency: + the rpcbind + package is required as a dependency: -Run the following commands to stop and mask the rpcbind.socket - and rpcbind.service -: + Run the following commands to stop and mask the rpcbind.socket + and rpcbind.service + : -# systemctl stop rpcbind.socket rpcbind.service
-# systemctl mask rpcbind.socket rpcbind.service - + # systemctl stop rpcbind.socket rpcbind.service
+ # systemctl mask rpcbind.socket rpcbind.service + Impact: -Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils - package used for The Network File System (NFS), are dependent on the rpcbind - package. If the rpcbind - package is removed, these dependent packages will be removed as well. Before removing the rpcbind - package, review any dependent packages to determine if they are required on the system. + Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind + package. If the rpcbind + package is removed, these dependent packages will be removed as well. Before removing the rpcbind + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the rpcbind.socket - and rpcbind.service - leaving the rpcbind - package installed. + a dependent package is required: stop and mask the rpcbind.socket + and rpcbind.service + leaving the rpcbind + package installed. @@ -11111,8 +11111,8 @@ Many of the libvirt packages used by Enterprise Linux virtualization, and the Ensure rsync services are not in use -The rsyncd.service - can be used to synchronize files between systems over network links. + The rsyncd.service + can be used to synchronize files between systems over network links. @@ -11134,11 +11134,11 @@ The rsyncd.service -Unless required, the rsync-daemon - package should be removed to reduce the potential attack surface. + Unless required, the rsync-daemon + package should be removed to reduce the potential attack surface. -The rsyncd.service - presents a security risk as it uses unencrypted protocols for communication. + The rsyncd.service + presents a security risk as it uses unencrypted protocols for communication. @@ -11147,42 +11147,42 @@ The rsyncd.service -Run the following commands to stop rsyncd.socket - and rsyncd.service -, and remove the rsync-daemon - package: + Run the following commands to stop rsyncd.socket + and rsyncd.service + , and remove the rsync-daemon + package: -# systemctl stop rsyncd.socket rsyncd.service
-# dnf remove rsync-daemon - + # systemctl stop rsyncd.socket rsyncd.service
+ # dnf remove rsync-daemon + - OR - - IF - - the rsync-daemon - package is required as a dependency: + the rsync-daemon + package is required as a dependency: -Run the following commands to stop and mask the rsyncd.socket - and rsyncd.service -: + Run the following commands to stop and mask the rsyncd.socket + and rsyncd.service + : -# systemctl stop rsyncd.socket rsyncd.service
-# systemctl mask rsyncd.socket rsyncd.service - + # systemctl stop rsyncd.socket rsyncd.service
+ # systemctl mask rsyncd.socket rsyncd.service + Impact: -There may be packages that are dependent on the rsync-daemon - package. If the rsync-daemon - package is removed, these dependent packages will be removed as well. Before removing the rsync-daemon - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the rsync-daemon + package. If the rsync-daemon + package is removed, these dependent packages will be removed as well. Before removing the rsync-daemon + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the rsyncd.socket - and rsyncd.service - leaving the rsync-daemon - package installed. + a dependent package is required: stop and mask the rsyncd.socket + and rsyncd.service + leaving the rsync-daemon + package installed. @@ -11243,24 +11243,24 @@ There may be packages that are dependent on the -The SNMP server can communicate using SNMPv1 -, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 - replaces the simple/clear text password sharing used in SNMPv2 - with more securely encoded parameters. If the the SNMP service is not required, the net-snmp - package should be removed to reduce the attack surface of the system. + The SNMP server can communicate using SNMPv1 + , which transmits data in the clear and does not require authentication to execute commands. SNMPv3 + replaces the simple/clear text password sharing used in SNMPv2 + with more securely encoded parameters. If the the SNMP service is not required, the net-snmp + package should be removed to reduce the attack surface of the system. Note: - If SNMP is required: + If SNMP is required: -The server should be configured for SNMP v3 - only. User Authentication - and Message Encryption - should be configured. + The server should be configured for SNMP v3 + only. User Authentication + and Message Encryption + should be configured. -If SNMP v2 - is absolutely - necessary, modify the community strings' values. + If SNMP v2 + is absolutely + necessary, modify the community strings' values. @@ -11270,34 +11270,34 @@ If SNMP v2 -Run the following commands to stop snmpd.service - and remove net-snmp - package: + Run the following commands to stop snmpd.service + and remove net-snmp + package: -# systemctl stop snmpd.service
-# dnf remove net-snmp - + # systemctl stop snmpd.service
+ # dnf remove net-snmp + - OR - - If the package is required for dependencies: + If the package is required for dependencies: -Run the following commands to stop and mask the snmpd.service -: + Run the following commands to stop and mask the snmpd.service + : -# systemctl stop snmpd.service
-# systemctl mask snmpd.service - + # systemctl stop snmpd.service
+ # systemctl mask snmpd.service + Impact: -There may be packages that are dependent on the net-snmp - package. If the net-snmp - package is removed, these packages will be removed as well. + There may be packages that are dependent on the net-snmp + package. If the net-snmp + package is removed, these packages will be removed as well. -Before removing the net-snmp - package, review any dependent packages to determine if they are required on the system. If a dependent package is required, stop and mask the snmpd.service - leaving the net-snmp - package installed. + Before removing the net-snmp + package, review any dependent packages to determine if they are required on the system. If a dependent package is required, stop and mask the snmpd.service + leaving the net-snmp + package installed. @@ -11322,10 +11322,10 @@ Before removing the net-snmp< Ensure telnet server services are not in use -The telnet-server - package contains the telnet - daemon, which accepts connections from users from other systems via the telnet - protocol. + The telnet-server + package contains the telnet + daemon, which accepts connections from users from other systems via the telnet + protocol. @@ -11352,9 +11352,9 @@ The telnet-server -The telnet - protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh - package provides an encrypted session and stronger security. + The telnet + protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh + package provides an encrypted session and stronger security. @@ -11364,39 +11364,39 @@ The telnet -Run the following commands to stop telnet.socket - and remove the telnet-server - package: + Run the following commands to stop telnet.socket + and remove the telnet-server + package: -# systemctl stop telnet.socket
-# dnf remove telnet-server - + # systemctl stop telnet.socket
+ # dnf remove telnet-server + - OR - - IF - - a package is installed and - is required for dependencies: + a package is installed and + is required for dependencies: -Run the following commands to stop and mask telnet.socket -: + Run the following commands to stop and mask telnet.socket + : -# systemctl stop telnet.socket
-# systemctl mask telnet.socket - + # systemctl stop telnet.socket
+ # systemctl mask telnet.socket + Impact: -There may be packages that are dependent on the telnet-server - package. If the telnet-server - package is removed, these dependent packages will be removed as well. Before removing the telnet-server - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the telnet-server + package. If the telnet-server + package is removed, these dependent packages will be removed as well. Before removing the telnet-server + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the telnet.socket - leaving the telnet-server - package installed. + a dependent package is required: stop and mask the telnet.socket + leaving the telnet-server + package installed. @@ -11451,43 +11451,43 @@ There may be packages that are dependent on the -Run the following commands to stop tftp.socket - and tftp.service -, and remove the tftp-server - package: + Run the following commands to stop tftp.socket + and tftp.service + , and remove the tftp-server + package: -# systemctl stop tftp.socket tftp.service
-# dnf remove tftp-server - + # systemctl stop tftp.socket tftp.service
+ # dnf remove tftp-server + - OR - - IF - - the tftp-server - package is required as a dependency: + the tftp-server + package is required as a dependency: -Run the following commands to stop and mask tftp.socket - and tftp.service -: + Run the following commands to stop and mask tftp.socket + and tftp.service + : -# systemctl stop tftp.socket tftp.service
-# systemctl mask tftp.socket tftp.service - + # systemctl stop tftp.socket tftp.service
+ # systemctl mask tftp.socket tftp.service + Impact: TFTP is often used to provide files for network booting such as for PXE based installation of servers. -There may be packages that are dependent on the tftp-server - package. If the tftp-server - package is removed, these dependent packages will be removed as well. Before removing the tftp-server - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the tftp-server + package. If the tftp-server + package is removed, these dependent packages will be removed as well. Before removing the tftp-server + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the tftp.socket - and tftp.service - leaving the tftp-server - package installed. + a dependent package is required: stop and mask the tftp.socket + and tftp.service + leaving the tftp-server + package installed. @@ -11550,7 +11550,7 @@ There may be packages that are dependent on the Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: - Several HTTP proxy servers exist. These should be checked and removed unless required. + Several HTTP proxy servers exist. These should be checked and removed unless required. @@ -11559,36 +11559,36 @@ There may be packages that are dependent on the -Run the following commands to stop squid.service - and remove the squid - package: + Run the following commands to stop squid.service + and remove the squid + package: -# systemctl stop squid.service
-# dnf remove squid - + # systemctl stop squid.service
+ # dnf remove squid + - OR - - If the squid - package is required as a dependency: + If the squid + package is required as a dependency: -Run the following commands to stop and mask the squid.service -: + Run the following commands to stop and mask the squid.service + : -# systemctl stop squid.service
-# systemctl mask squid.service - + # systemctl stop squid.service
+ # systemctl mask squid.service + Impact: -There may be packages that are dependent on the squid - package. If the squid - package is removed, these dependent packages will be removed as well. Before removing the squid - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the squid + package. If the squid + package is removed, these dependent packages will be removed as well. Before removing the squid + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the squid.service - leaving the squid - package installed. + a dependent package is required: stop and mask the squid.service + leaving the squid + package installed. @@ -11642,44 +11642,44 @@ There may be packages that are dependent on the -Run the following commands to stop httpd.socket -, httpd.service -, and nginx.service -, and remove httpd - and nginx - packages: + Run the following commands to stop httpd.socket + , httpd.service + , and nginx.service + , and remove httpd + and nginx + packages: -# systemctl stop httpd.socket httpd.service nginx.service
-# dnf remove httpd nginx - + # systemctl stop httpd.socket httpd.service nginx.service
+ # dnf remove httpd nginx + - OR - - IF - - a package is installed and - is required for dependencies: + a package is installed and + is required for dependencies: -Run the following commands to stop and mask httpd.socket -, httpd.service -, and nginx.service -: + Run the following commands to stop and mask httpd.socket + , httpd.service + , and nginx.service + : -# systemctl stop httpd.socket httpd.service nginx.service
-# systemctl mask httpd.socket httpd.service nginx.service - + # systemctl stop httpd.socket httpd.service nginx.service
+ # systemctl mask httpd.socket httpd.service nginx.service + Note: - Other web server packages may exist. If not required and authorized by local site policy, they should also be removed. If the package is required for a dependency, the service and socket should be stopped and masked. + Other web server packages may exist. If not required and authorized by local site policy, they should also be removed. If the package is required for a dependency, the service and socket should be stopped and masked. Impact: Removal of web server packages will remove that ability for the server to host web services. - IF - - the web server package is required for a dependency, any related service or socket should be stopped and masked. + the web server package is required for a dependency, any related service or socket should be stopped and masked. Note: - If the remediation steps to mask a service are followed and that package is not installed on the system, the service and/or socket will still be masked. If the package is installed due to an approved requirement to host a web server, the associated service and/or socket would need to be unmasked before it could be enabled and/or started. + If the remediation steps to mask a service are followed and that package is not installed on the system, the service and/or socket will still be masked. If the package is installed due to an approved requirement to host a web server, the associated service and/or socket would need to be unmasked before it could be enabled and/or started. @@ -11733,10 +11733,10 @@ Run the following commands to stop and mask Ensure xinetd services are not in use -The eXtended InterNET Daemon ( xinetd -) is an open source super daemon that replaced the original inetd - daemon. The xinetd - daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. + The eXtended InterNET Daemon ( xinetd + ) is an open source super daemon that replaced the original inetd + daemon. The xinetd + daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. @@ -11758,13 +11758,13 @@ The eXtended InterNET Daemon ( xinet -If there are no xinetd - services required, it is recommended that the package be removed to reduce the attack surface are of the system. + If there are no xinetd + services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: - If an xinetd - service or services are required, ensure that any xinetd - service not required is stopped and masked + If an xinetd + service or services are required, ensure that any xinetd + service not required is stopped and masked @@ -11773,37 +11773,37 @@ If there are no xinetd -Run the following commands to stop xinetd.service -, and remove the xinetd - package: + Run the following commands to stop xinetd.service + , and remove the xinetd + package: -# systemctl stop xinetd.service
-# dnf remove xinetd - + # systemctl stop xinetd.service
+ # dnf remove xinetd + - OR - - IF - - the xinetd - package is required as a dependency: + the xinetd + package is required as a dependency: -Run the following commands to stop and mask the xinetd.service -: + Run the following commands to stop and mask the xinetd.service + : -# systemctl stop xinetd.service
-# systemctl mask xinetd.service - + # systemctl stop xinetd.service
+ # systemctl mask xinetd.service + Impact: -There may be packages that are dependent on the xinetd - package. If the xinetd - package is removed, these dependent packages will be removed as well. Before removing the xinetd - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the xinetd + package. If the xinetd + package is removed, these dependent packages will be removed as well. Before removing the xinetd + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the avahi-daemon.socket and avahi-daemon.service leaving the avahi package installed. + a dependent package is required: stop and mask the avahi-daemon.socket and avahi-daemon.service leaving the avahi package installed. @@ -11858,16 +11858,16 @@ There may be packages that are dependent on the - IF - - a Graphical Desktop Manager or X-Windows server is not required and approved by local site policy: + a Graphical Desktop Manager or X-Windows server is not required and approved by local site policy: Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common - + Impact: -If a Graphical Desktop Manager (GDM) is in use on the system, there may be a dependency on the xorg-x11-server-common - package. If the GDM is required and approved by local site policy, the package should not - be removed. + If a Graphical Desktop Manager (GDM) is in use on the system, there may be a dependency on the xorg-x11-server-common + package. If the GDM is required and approved by local site policy, the package should not + be removed. Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime. @@ -11915,15 +11915,15 @@ If a Graphical Desktop Manager (GDM) is in use on the system, there may be a dep -Edit /etc/postfix/main.cf - and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: + Edit /etc/postfix/main.cf + and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only - + -Run the following command to restart postfix -: + Run the following command to restart postfix + : # systemctl restart postfix - + Note: @@ -11977,29 +11977,29 @@ Run the following command to restart -# systemctl stop <service_name>.socket <service_name>.service
-# dnf remove <package_name> - + # systemctl stop <service_name>.socket <service_name>.service
+ # dnf remove <package_name> + - OR - - If required packages have a dependency: + If required packages have a dependency: Run the following commands to stop and mask the service and socket: -# systemctl stop <service_name>.socket <service_name>.service
-# systemctl mask <service_name>.socket <service_name>.service - + # systemctl stop <service_name>.socket <service_name>.service
+ # systemctl mask <service_name>.socket <service_name>.service + Note: - replace <service_name> - with the appropriate service name. + replace <service_name> + with the appropriate service name. Impact: There may be packages that are dependent on the service's package. If the service's package is removed, these dependent packages will be removed as well. Before removing the service's package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask the <service_name>.socket - and <service_name>.service - leaving the service's package installed. + a dependent package is required: stop and mask the <service_name>.socket + and <service_name>.service + leaving the service's package installed. @@ -12012,7 +12012,7 @@ Run the following command to restart Ensure ftp client is not installed @@ -12047,10 +12047,10 @@ Run the following command to restart ftp -: + Run the following command to remove ftp + : # dnf remove ftp - + @@ -12093,10 +12093,10 @@ Run the following command to remove openldap-clients - package: + Run the following command to remove the openldap-clients + package: # dnf remove openldap-clients - + Impact: Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment. @@ -12114,8 +12114,8 @@ Run the following command to remove the Ensure nis client is not installed -The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind - ) was used to bind a machine to an NIS server and receive the distributed configuration files. + The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind + ) was used to bind a machine to an NIS server and receive the distributed configuration files. @@ -12146,7 +12146,7 @@ The Network Information Service (NIS), formerly known as Yellow Pages, is a clie Run the following command to remove the ypbind package: # dnf remove ypbind - + Impact: Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse. @@ -12164,9 +12164,9 @@ The Network Information Service (NIS), formerly known as Yellow Pages, is a clie Ensure telnet client is not installed -The telnet - package contains the telnet - client, which allows users to start connections to other systems via the telnet protocol. + The telnet + package contains the telnet + client, which allows users to start connections to other systems via the telnet protocol. @@ -12188,9 +12188,9 @@ The telnet -The telnet - protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh - package provides an encrypted session and stronger security and is included in most Linux distributions. + The telnet + protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh + package provides an encrypted session and stronger security and is included in most Linux distributions. @@ -12199,10 +12199,10 @@ The telnet -Run the following command to remove the telnet - package: + Run the following command to remove the telnet + package: # dnf remove telnet - + Impact: Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse. @@ -12249,10 +12249,10 @@ Run the following command to remove the tftp -: + Run the following command to remove tftp + : # dnf remove tftp - + @@ -12267,8 +12267,8 @@ Run the following command to remove Configure Time Synchronization -It is recommended that systems be configured to synchronize their time using a service such as chrony -. + It is recommended that systems be configured to synchronize their time using a service such as chrony + . Virtual systems may be configured to receive their time synchronization from their host system. The host system must be configured to synchronize its time from an authoritative source to be considered compliant with this section. Any "physical" clock present on a system should be synchronized from an authoritative time source. @@ -12277,7 +12277,7 @@ It is recommended that systems be configured to synchronize their time using a s Notes: - Only the section related to the time synchronization method in use on the system should be followed, all other time synchronization recommendations should be skipped + Only the section related to the time synchronization method in use on the system should be followed, all other time synchronization recommendations should be skipped Ensure time synchronization is in use @@ -12285,7 +12285,7 @@ It is recommended that systems be configured to synchronize their time using a s System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: - If another method for time synchronization is being used, this section may be skipped. + If another method for time synchronization is being used, this section may be skipped. @@ -12306,8 +12306,8 @@ It is recommended that systems be configured to synchronize their time using a s -On systems where host based time synchronization is not available, verify that chrony - is installed. + On systems where host based time synchronization is not available, verify that chrony + is installed. On systems where host based time synchronization is available consult your documentation and verify that host based synchronization is in use. @@ -12321,10 +12321,10 @@ On systems where host based time synchronization is not available, verify that -Run the following command to install chrony -: + Run the following command to install chrony + : # dnf install chrony - + @@ -12339,10 +12339,10 @@ Run the following command to install chrony - is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony - can be found at http://chrony.tuxfamily.org/ -. chrony - can be configured to be a client and/or a server. + is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony + can be found at http://chrony.tuxfamily.org/ + . chrony + can be configured to be a client and/or a server. @@ -12363,15 +12363,15 @@ Run the following command to install -On systems where host based time synchronization is not available, verify that chrony - is installed. + On systems where host based time synchronization is not available, verify that chrony + is installed. On systems where host based time synchronization is available consult your documentation and verify that host based synchronization is in use. -If chrony - is in use on the system proper configuration is vital to ensuring time synchronization is working properly. + If chrony + is in use on the system proper configuration is vital to ensuring time synchronization is working properly. @@ -12380,14 +12380,14 @@ If chrony -Add or edit server or pool lines to /etc/chrony.conf - or a file in the /etc/chrony.d - directory as appropriate: + Add or edit server or pool lines to /etc/chrony.conf + or a file in the /etc/chrony.d + directory as appropriate: Example: server <remote-server> - + @@ -12409,10 +12409,10 @@ Add or edit server or pool lines to Ensure chrony is not run as the root user -The file /etc/sysconfig/chronyd - allows configuration of options for chrony - to include the user chrony - is run as. By default this is set to the user chrony + The file /etc/sysconfig/chronyd + allows configuration of options for chrony + to include the user chrony + is run as. By default this is set to the user chrony @@ -12422,19 +12422,19 @@ The file /etc/sysconfig/chronyd -Edit the file /etc/sysconfig/chronyd - and add or modify the following line to remove -u root -: + Edit the file /etc/sysconfig/chronyd + and add or modify the following line to remove -u root + : Example: OPTIONS="-F 2" - + -Run the following command to reload the chronyd.service - configuration: + Run the following command to reload the chronyd.service + configuration: # systemctl reload-or-restart chronyd.service - + @@ -12455,31 +12455,31 @@ Run the following command to reload the cron - is a time based job scheduler + is a time based job scheduler Notes: -Other methods, such as systemd timers -, exist for scheduling jobs. If another method is used, cron - should be removed, and the alternate method should be secured in accordance with local site policy + Other methods, such as systemd timers + , exist for scheduling jobs. If another method is used, cron + should be removed, and the alternate method should be secured in accordance with local site policy - IF - - cron is not installed on the system, this section can be skipped + cron is not installed on the system, this section can be skipped Ensure cron daemon is enabled and active -The cron - daemon is used to execute batch jobs on the system. + The cron + daemon is used to execute batch jobs on the system. -While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron - is used to execute them. + While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron + is used to execute them. NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 @@ -12487,14 +12487,14 @@ While there may not be user jobs that need to be run on the system, the system d - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to unmask, enable, and start cron -: + Run the following commands to unmask, enable, and start cron + : -# systemctl unmask "$(systemctl list-unit-files | awk '$1~/^crond?\.service/{print $1}')"
-# systemctl --now enable "$(systemctl list-unit-files | awk '$1~/^crond?\.service/{print $1}')" - + # systemctl unmask "$(systemctl list-unit-files | awk '$1~/^crond?\.service/{print $1}')"
+ # systemctl --now enable "$(systemctl list-unit-files | awk '$1~/^crond?\.service/{print $1}')" + @@ -12535,9 +12535,9 @@ Run the following commands to unmask, enable, and start Ensure permissions on /etc/crontab are configured -The /etc/crontab - file is used by cron - to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. + The /etc/crontab + file is used by cron + to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. @@ -12568,14 +12568,14 @@ The /etc/crontab - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on /etc/crontab -: + Run the following commands to set ownership and permissions on /etc/crontab + : -# chown root:root /etc/crontab
-# chmod og-rwx /etc/crontab - + # chown root:root /etc/crontab
+ # chmod og-rwx /etc/crontab + @@ -12613,9 +12613,9 @@ Run the following commands to set ownership and permissions on Ensure permissions on /etc/cron.hourly are configured -This directory contains system cron - jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab - command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. + This directory contains system cron + jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab + command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. @@ -12646,14 +12646,14 @@ This directory contains system cr - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on the /etc/cron.hourly - directory: + Run the following commands to set ownership and permissions on the /etc/cron.hourly + directory: -# chown root:root /etc/cron.hourly/
-# chmod og-rwx /etc/cron.hourly/ - + # chown root:root /etc/cron.hourly/
+ # chmod og-rwx /etc/cron.hourly/ + @@ -12691,9 +12691,9 @@ Run the following commands to set ownership and permissions on the Ensure permissions on /etc/cron.daily are configured -The /etc/cron.daily - directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab - command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. + The /etc/cron.daily + directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab + command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. @@ -12724,14 +12724,14 @@ The /etc/cron.daily - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on the /etc/cron.daily - directory: + Run the following commands to set ownership and permissions on the /etc/cron.daily + directory: -# chown root:root /etc/cron.daily/
-# chmod og-rwx /etc/cron.daily/ - + # chown root:root /etc/cron.daily/
+ # chmod og-rwx /etc/cron.daily/ + @@ -12769,9 +12769,9 @@ Run the following commands to set ownership and permissions on the Ensure permissions on /etc/cron.weekly are configured -The /etc/cron.weekly - directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab - command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. + The /etc/cron.weekly + directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab + command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. @@ -12802,14 +12802,14 @@ The /etc/cron.weekly - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on the /etc/cron.weekly - directory: + Run the following commands to set ownership and permissions on the /etc/cron.weekly + directory: -# chown root:root /etc/cron.weekly/
-# chmod og-rwx /etc/cron.weekly/ - + # chown root:root /etc/cron.weekly/
+ # chmod og-rwx /etc/cron.weekly/ + @@ -12847,9 +12847,9 @@ Run the following commands to set ownership and permissions on the Ensure permissions on /etc/cron.monthly are configured -The /etc/cron.monthly - directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab - command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. + The /etc/cron.monthly + directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab + command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. @@ -12880,14 +12880,14 @@ The /etc/cron.monthly - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on the /etc/cron.monthly - directory: + Run the following commands to set ownership and permissions on the /etc/cron.monthly + directory: -# chown root:root /etc/cron.monthly/
-# chmod og-rwx /etc/cron.monthly/ - + # chown root:root /etc/cron.monthly/
+ # chmod og-rwx /etc/cron.monthly/ + @@ -12925,11 +12925,11 @@ Run the following commands to set ownership and permissions on the Ensure permissions on /etc/cron.d are configured -The /etc/cron.d - directory contains system cron - jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab -, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab - command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. + The /etc/cron.d + directory contains system cron + jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab + , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab + command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. @@ -12960,14 +12960,14 @@ The /etc/cron.d - IF - - cron is installed on the system: + cron is installed on the system: -Run the following commands to set ownership and permissions on the /etc/cron.d - directory: + Run the following commands to set ownership and permissions on the /etc/cron.d + directory: -# chown root:root /etc/cron.d/
-# chmod og-rwx /etc/cron.d/ - + # chown root:root /etc/cron.d/
+ # chmod og-rwx /etc/cron.d/ + @@ -13006,41 +13006,41 @@ Run the following commands to set ownership and permissions on the crontab - is the program used to install, deinstall, or list the tables used to drive the cron daemon. Each user can have their own crontab, and though these are files in /var/spool/cron/crontabs -, they are not intended to be edited directly. - -If the /etc/cron.allow - file exists, then you must be listed (one user per line) therein in order to be allowed to use this command. If the /etc/cron.allow - file does not exist but the /etc/cron.deny - file does exist, then you must not be listed in the /etc/cron.deny - file in order to use this command. + is the program used to install, deinstall, or list the tables used to drive the cron daemon. Each user can have their own crontab, and though these are files in /var/spool/cron/crontabs + , they are not intended to be edited directly. + + If the /etc/cron.allow + file exists, then you must be listed (one user per line) therein in order to be allowed to use this command. If the /etc/cron.allow + file does not exist but the /etc/cron.deny + file does exist, then you must not be listed in the /etc/cron.deny + file in order to use this command. If neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use this command, or all users will be able to use this command. -If both files exist then /etc/cron.allow - takes precedence. Which means that /etc/cron.deny - is not considered and your user must be listed in /etc/cron.allow - in order to be able to use the crontab. + If both files exist then /etc/cron.allow + takes precedence. Which means that /etc/cron.deny + is not considered and your user must be listed in /etc/cron.allow + in order to be able to use the crontab. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab. -The files /etc/cron.allow - and /etc/cron.deny -, if they exist, must be either world-readable, or readable by group crontab -. If they are not, then cron will deny access to all users until the permissions are fixed. + The files /etc/cron.allow + and /etc/cron.deny + , if they exist, must be either world-readable, or readable by group crontab + . If they are not, then cron will deny access to all users until the permissions are fixed. -There is one file for each user's crontab under the /var/spool/cron/crontabs - directory. Users are not allowed to edit the files under that directory directly to ensure that only users allowed by the system to run periodic tasks can add them, and only syntactically correct crontabs will be written there. This is enforced by having the directory writable only by the crontab - group and configuring crontab command with the setgid bid set for that specific group. + There is one file for each user's crontab under the /var/spool/cron/crontabs + directory. Users are not allowed to edit the files under that directory directly to ensure that only users allowed by the system to run periodic tasks can add them, and only syntactically correct crontabs will be written there. This is enforced by having the directory writable only by the crontab + group and configuring crontab command with the setgid bid set for that specific group. Note: -Even though a given user is not listed in cron.allow -, cron jobs can still be run as that user + Even though a given user is not listed in cron.allow + , cron jobs can still be run as that user -The files /etc/cron.allow - and /etc/cron.deny -, if they exist, only controls administrative access to the crontab command for scheduling and modifying cron jobs + The files /etc/cron.allow + and /etc/cron.deny + , if they exist, only controls administrative access to the crontab command for scheduling and modifying cron jobs @@ -13063,10 +13063,10 @@ The files /etc/cron.allow -On many systems, only the system administrator is authorized to schedule cron - jobs. Using the cron.allow - file to control who can run cron - jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. + On many systems, only the system administrator is authorized to schedule cron + jobs. Using the cron.allow + file to control who can run cron + jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. @@ -13076,50 +13076,50 @@ On many systems, only the system administrator is authorized to schedule - IF - - cron is installed on the system: + cron is installed on the system: Run the following script to: -Create /etc/cron.allow - if it doesn't exist + Create /etc/cron.allow + if it doesn't exist -Change owner to user root + Change owner to user root -Change group owner to group root + Change group owner to group root -Change mode to 640 - or more restrictive + Change mode to 640 + or more restrictive -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -e "/etc/cron.allow" ] && touch /etc/cron.allow
- chown root:root /etc/cron.allow
- chmod u-x,g-wx,o-rwx /etc/cron.allow
-} - + {
+ [ ! -e "/etc/cron.allow" ] && touch /etc/cron.allow
+ chown root:root /etc/cron.allow
+ chmod u-x,g-wx,o-rwx /etc/cron.allow
+ } + - IF - /etc/cron.deny - exists, run the following commands to: + exists, run the following commands to: -Change owner to user root + Change owner to user root -Change group owner to group root + Change group owner to group root -Change mode to 640 - or more restrictive + Change mode to 640 + or more restrictive -# [ -e "/etc/cron.deny" ] && chown root:root /etc/cron.deny
-# [ -e "/etc/cron.deny" ] && chmod u-x,g-wx,o-rwx /etc/cron.deny - + # [ -e "/etc/cron.deny" ] && chown root:root /etc/cron.deny
+ # [ -e "/etc/cron.deny" ] && chmod u-x,g-wx,o-rwx /etc/cron.deny + @@ -13185,26 +13185,26 @@ Change mode to 640 at - is a command-line utility used to schedule a job for later execution + is a command-line utility used to schedule a job for later execution Note: - if at - is not installed on the system, this section can be skipped + if at + is not installed on the system, this section can be skipped Ensure at is restricted to authorized users at - allows fairly complex time specifications, extending the POSIX.2 standard. It accepts times of the form HH:MM to run a job at a specific time of day. (If that time is already past, the next day is assumed.) You may also specify midnight, noon, or teatime (4pm) and you can have a time-of-day suffixed with AM or PM for running in the morning or the evening. You can also say what day the job will be run, by giving a date in the form month-name day with an optional year, or giving a date of the form MMDD[CC]YY, MM/DD/[CC]YY, DD.MM.[CC]YY or [CC]YY-MM-DD. The specification of a date must follow the specification of the time of day. You can also give times like now + count time-units, where the time-units can be minutes, hours, days, or weeks and you can tell at to run the job today by suffixing the time with today and to run the job tomorrow by suffixing the time with tomorrow. - -The /etc/at.allow - and /etc/at.deny - files determine which user can submit commands for later execution via at or batch. The format of the files is a list of usernames, one on each line. Whitespace is not permitted. If the file /etc/at.allow - exists, only usernames mentioned in it are allowed to use at. If /etc/at.allow - does not exist, /etc/at.deny - is checked, every username not mentioned in it is then allowed to use at. An empty /etc/at.deny - means that every user may use at. If neither file exists, only the superuser is allowed to use at. + allows fairly complex time specifications, extending the POSIX.2 standard. It accepts times of the form HH:MM to run a job at a specific time of day. (If that time is already past, the next day is assumed.) You may also specify midnight, noon, or teatime (4pm) and you can have a time-of-day suffixed with AM or PM for running in the morning or the evening. You can also say what day the job will be run, by giving a date in the form month-name day with an optional year, or giving a date of the form MMDD[CC]YY, MM/DD/[CC]YY, DD.MM.[CC]YY or [CC]YY-MM-DD. The specification of a date must follow the specification of the time of day. You can also give times like now + count time-units, where the time-units can be minutes, hours, days, or weeks and you can tell at to run the job today by suffixing the time with today and to run the job tomorrow by suffixing the time with tomorrow. + + The /etc/at.allow + and /etc/at.deny + files determine which user can submit commands for later execution via at or batch. The format of the files is a list of usernames, one on each line. Whitespace is not permitted. If the file /etc/at.allow + exists, only usernames mentioned in it are allowed to use at. If /etc/at.allow + does not exist, /etc/at.deny + is checked, every username not mentioned in it is then allowed to use at. An empty /etc/at.deny + means that every user may use at. If neither file exists, only the superuser is allowed to use at. @@ -13226,10 +13226,10 @@ The /etc/at.allow -On many systems, only the system administrator is authorized to schedule at - jobs. Using the at.allow - file to control who can run at - jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. + On many systems, only the system administrator is authorized to schedule at + jobs. Using the at.allow + file to control who can run at + jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. @@ -13239,58 +13239,58 @@ On many systems, only the system administrator is authorized to schedule - IF - - at is installed on the system: + at is installed on the system: Run the following script to: /etc/at.allow -: - + : + Create the file if it doesn't exist -Change owner or user root + Change owner or user root -If group daemon - exists, change to group daemon -, else change group to root + If group daemon + exists, change to group daemon + , else change group to root -Change mode to 640 - or more restrictive + Change mode to 640 + or more restrictive - IF - /etc/at.deny - exists: - + exists: + -Change owner or user root + Change owner or user root -If group daemon - exists, change to group daemon -, else change group to root + If group daemon + exists, change to group daemon + , else change group to root -Change mode to 640 - or more restrictive + Change mode to 640 + or more restrictive -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- grep -Pq -- '^daemon\b' /etc/group && l_group="daemon" || l_group="root"
- [ ! -e "/etc/at.allow" ] && touch /etc/at.allow
- chown root:"$l_group" /etc/at.allow
- chmod u-x,g-wx,o-rwx /etc/at.allow
- [ -e "/etc/at.deny" ] && chown root:"$l_group" /etc/at.deny
- [ -e "/etc/at.deny" ] && chmod u-x,g-wx,o-rwx /etc/at.deny
-} - + {
+ grep -Pq -- '^daemon\b' /etc/group && l_group="daemon" || l_group="root"
+ [ ! -e "/etc/at.allow" ] && touch /etc/at.allow
+ chown root:"$l_group" /etc/at.allow
+ chmod u-x,g-wx,o-rwx /etc/at.allow
+ [ -e "/etc/at.deny" ] && chown root:"$l_group" /etc/at.deny
+ [ -e "/etc/at.deny" ] && chmod u-x,g-wx,o-rwx /etc/at.deny
+ } + @@ -13359,7 +13359,7 @@ Change mode to 640To reduce the attack surface of a system, unused devices should be disabled. Note: - This should not be considered a comprehensive list, you may wish to consider additions to those listed here for your environment. + This should not be considered a comprehensive list, you may wish to consider additions to those listed here for your environment. Ensure IPv6 status is identified @@ -13398,10 +13398,10 @@ Change mode to 640IETF RFC 4038 recommends that applications are built with an assumption of dual stack. It is recommended that IPv6 be enabled and configured in accordance with Benchmark recommendations. - IF - - dual stack and IPv6 are not used in your environment, IPv6 may be disabled to reduce the attack surface of the system, and recommendations pertaining to IPv6 can be skipped. + dual stack and IPv6 are not used in your environment, IPv6 may be disabled to reduce the attack surface of the system, and recommendations pertaining to IPv6 can be skipped. Note: - It is recommended that IPv6 be enabled and configured unless this is against local site policy + It is recommended that IPv6 be enabled and configured unless this is against local site policy @@ -13456,7 +13456,7 @@ Change mode to 640 - IF - - wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface. + wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface. @@ -13467,32 +13467,32 @@ Change mode to 640 Run the following script to disable any wireless interfaces: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- module_fix()
- {
- if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then
- echo -e " - setting module: \"$l_mname\" to be un-loadable"
- echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
- fi
- if lsmod | grep "$l_mname" > /dev/null 2>&1; then
- echo -e " - unloading module \"$l_mname\""
- modprobe -r "$l_mname"
- fi
- if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
- echo -e " - deny listing \"$l_mname\""
- echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf
- fi
- }
- if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
- l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
- for l_mname in $l_dname; do
- module_fix
- done
- fi
-} - + {
+ module_fix()
+ {
+ if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then
+ echo -e " - setting module: \"$l_mname\" to be un-loadable"
+ echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
+ fi
+ if lsmod | grep "$l_mname" > /dev/null 2>&1; then
+ echo -e " - unloading module \"$l_mname\""
+ modprobe -r "$l_mname"
+ fi
+ if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
+ echo -e " - deny listing \"$l_mname\""
+ echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf
+ fi
+ }
+ if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
+ l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
+ for l_mname in $l_dname; do
+ module_fix
+ done
+ fi
+ } + Impact: Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled. @@ -13532,8 +13532,8 @@ Change mode to 640 -An attacker may be able to find a way to access or corrupt your data. One example of this type of activity is bluesnarfing -, which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. + An attacker may be able to find a way to access or corrupt your data. One example of this type of activity is bluesnarfing + , which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. @@ -13542,43 +13542,43 @@ An attacker may be able to find a way to access or corrupt your data. One exampl -Run the following commands to stop bluetooth.service -, and remove the bluez - package: + Run the following commands to stop bluetooth.service + , and remove the bluez + package: -# systemctl stop bluetooth.service
-# dnf remove bluez - + # systemctl stop bluetooth.service
+ # dnf remove bluez + - OR - - IF - - the bluez - package is required as a dependency: + the bluez + package is required as a dependency: -Run the following commands to stop and mask bluetooth.service -: + Run the following commands to stop and mask bluetooth.service + : -# systemctl stop bluetooth.service
-# systemctl mask bluetooth.service - + # systemctl stop bluetooth.service
+ # systemctl mask bluetooth.service + Note: - A reboot may be required + A reboot may be required Impact: Many personal electronic devices (PEDs) use Bluetooth technology. For example, you may be able to operate your computer with a wireless keyboard. Disabling Bluetooth will prevent these devices from connecting to the system. -There may be packages that are dependent on the bluez - package. If the bluez - package is removed, these dependent packages will be removed as well. Before removing the bluez - package, review any dependent packages to determine if they are required on the system. + There may be packages that are dependent on the bluez + package. If the bluez + package is removed, these dependent packages will be removed as well. Before removing the bluez + package, review any dependent packages to determine if they are required on the system. - IF - - a dependent package is required: stop and mask bluetooth.service - leaving the bluez - package installed. + a dependent package is required: stop and mask bluetooth.service + leaving the bluez + package installed. @@ -13606,7 +13606,7 @@ There may be packages that are dependent on the The Linux kernel modules support several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel. Note: - This should not be considered a comprehensive list of uncommon network protocols, you may wish to consider additions to those listed here for your environment. + This should not be considered a comprehensive list of uncommon network protocols, you may wish to consider additions to those listed here for your environment. Ensure dccp kernel module is not available @@ -13634,7 +13634,7 @@ There may be packages that are dependent on the - IF - - the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. + the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. @@ -13643,74 +13643,74 @@ There may be packages that are dependent on the -Run the following script to unload and disable the dccp - module: + Run the following script to unload and disable the dccp + module: - IF - - the dccp - kernel module is available in ANY installed kernel: + the dccp + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install dccp /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install dccp /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist dccp - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist dccp + in the /etc/modprobe.d/ + directory -Run modprobe -r dccp 2>/dev/null; rmmod dccp 2>/dev/null - to remove dccp - from the kernel + Run modprobe -r dccp 2>/dev/null; rmmod dccp 2>/dev/null + to remove dccp + from the kernel - IF - - the dccp - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the dccp + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="dccp" # set module name
- l_mod_type="net" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="dccp" # set module name
+ l_mod_type="net" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -13748,7 +13748,7 @@ Run modprobe -r dccp 2>/de - IF - - the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. @@ -13757,74 +13757,74 @@ Run modprobe -r dccp 2>/de -Run the following script to unload and disable the tipc - module: + Run the following script to unload and disable the tipc + module: - IF - - the tipc - kernel module is available in ANY installed kernel: + the tipc + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install tipc /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install tipc /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist tipc - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist tipc + in the /etc/modprobe.d/ + directory -Run modprobe -r tipc 2>/dev/null; rmmod tipc 2>/dev/null - to remove tipc - from the kernel + Run modprobe -r tipc 2>/dev/null; rmmod tipc 2>/dev/null + to remove tipc + from the kernel - IF - - the tipc - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the tipc + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="tipc" # set module name
- l_mod_type="net" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="tipc" # set module name
+ l_mod_type="net" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -13862,7 +13862,7 @@ Run modprobe -r tipc 2>/de - IF - - the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. @@ -13871,74 +13871,74 @@ Run modprobe -r tipc 2>/de -Run the following script to unload and disable the rds - module: + Run the following script to unload and disable the rds + module: - IF - - the rds - kernel module is available in ANY installed kernel: + the rds + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install rds /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install rds /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist rds - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist rds + in the /etc/modprobe.d/ + directory -Run modprobe -r rds 2>/dev/null; rmmod rds 2>/dev/null - to remove rds - from the kernel + Run modprobe -r rds 2>/dev/null; rmmod rds 2>/dev/null + to remove rds + from the kernel - IF - - the rds - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the rds + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="rds" # set module name
- l_mod_type="net" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="rds" # set module name
+ l_mod_type="net" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -13976,7 +13976,7 @@ Run modprobe -r rds 2>/dev - IF - - the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. + the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. @@ -13985,74 +13985,74 @@ Run modprobe -r rds 2>/dev -Run the following script to unload and disable the sctp - module: + Run the following script to unload and disable the sctp + module: - IF - - the sctp - kernel module is available in ANY installed kernel: + the sctp + kernel module is available in ANY installed kernel: -Create a file ending in .conf - with install sctp /bin/false - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with install sctp /bin/false + in the /etc/modprobe.d/ + directory -Create a file ending in .conf - with blacklist sctp - in the /etc/modprobe.d/ - directory + Create a file ending in .conf + with blacklist sctp + in the /etc/modprobe.d/ + directory -Run modprobe -r sctp 2>/dev/null; rmmod sctp 2>/dev/null - to remove sctp - from the kernel + Run modprobe -r sctp 2>/dev/null; rmmod sctp 2>/dev/null + to remove sctp + from the kernel - IF - - the sctp - kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary + the sctp + kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
- l_mod_name="sctp" # set module name
- l_mod_type="net" # set module type
- l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
- f_module_fix()
- {
- l_dl="y" # Set to ignore duplicate checks
- a_showconfig=() # Create array with modprobe output
- while IFS= read -r l_showconfig; do
- a_showconfig+=("$l_showconfig")
- done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
- if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
- a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
- modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
- fi
- if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
- printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
- a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
- printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
- fi
- }
- for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
- if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
- l_output3="$l_output3\n - \"$l_mod_base_directory\""
- [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
- [ "$l_dl" != "y" ] && f_module_fix
- else
- echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
- fi
- done
- [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
- echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
-} - + {
+ unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
+ l_mod_name="sctp" # set module name
+ l_mod_type="net" # set module type
+ l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
+ f_module_fix()
+ {
+ l_dl="y" # Set to ignore duplicate checks
+ a_showconfig=() # Create array with modprobe output
+ while IFS= read -r l_showconfig; do
+ a_showconfig+=("$l_showconfig")
+ done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_name//-/_}"'\b')
+ if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+ a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
+ modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
+ fi
+ if ! grep -Pq -- '\binstall\h+'"${l_mod_name//-/_}"'\h+\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
+ printf '%s\n' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ if ! grep -Pq -- '\bblacklist\h+'"${l_mod_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
+ a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
+ printf '%s\n' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
+ fi
+ }
+ for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
+ if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-/\/})" ]; then
+ l_output3="$l_output3\n - \"$l_mod_base_directory\""
+ [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+ [ "$l_dl" != "y" ] && f_module_fix
+ else
+ echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
+ fi
+ done
+ [ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mod_name\" exists in:$l_output3"
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "${a_output2[@]}"
+ echo -e "\n - remediation of kernel module: \"$l_mod_name\" complete\n"
+ } + @@ -14074,18 +14074,18 @@ Run modprobe -r sctp 2>/de -sysctl settings are defined through files in /usr/local/lib -, /usr/lib/ -, /lib/ -, /run/ -, and /etc/ + sysctl settings are defined through files in /usr/local/lib + , /usr/lib/ + , /lib/ + , /run/ + , and /etc/ -Files are typically placed in the sysctl.d - directory within the parent directory + Files are typically placed in the sysctl.d + directory within the parent directory -The paths where sysctl preload files usually exist - + The paths where sysctl preload files usually exist + /run/sysctl.d/*.conf @@ -14107,53 +14107,53 @@ The paths where sysctl preload files usually exist -Files must have the " .conf -" extension + Files must have the " .conf + " extension -Vendors settings usually live in /usr/lib/ - or /usr/local/lib/ + Vendors settings usually live in /usr/lib/ + or /usr/local/lib/ -To override a whole file, create a new file with the same name in /etc/sysctl.d/ - and put new settings there. + To override a whole file, create a new file with the same name in /etc/sysctl.d/ + and put new settings there. -To override only specific settings, add a file with a lexically later name in /etc/sysctl.d/ - and put new settings there. + To override only specific settings, add a file with a lexically later name in /etc/sysctl.d/ + and put new settings there. -The command /usr/lib/systemd/systemd-sysctl --cat-config - produces output containing The system's loaded kernel parameters and the files they're configured in: - + The command /usr/lib/systemd/systemd-sysctl --cat-config + produces output containing The system's loaded kernel parameters and the files they're configured in: + Entries listed latter in the file take precedence over the same settings listed earlier in the file Files containing kernel parameters that are over-ridden by other files with the same name will not be listed On systems running UncomplicatedFirewall, the kernel parameters may be set or over-written. This will not be visible in the output of the command -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings other settings and will not - be visible in the output of the /usr/lib/systemd/systemd-sysctl --cat-config - command + The settings in /etc/ufw/sysctl.conf + will override settings other settings and will not + be visible in the output of the /usr/lib/systemd/systemd-sysctl --cat-config + command -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw The system's loaded kernel parameters and the files they're configured in can be viewed by running the following command: # /usr/lib/systemd/systemd-sysctl --cat-config - + Ensure ip forwarding is disabled -The net.ipv4.ip_forward - and net.ipv6.conf.all.forwarding - flags are used to tell the system whether it can forward packets or not. + The net.ipv4.ip_forward + and net.ipv6.conf.all.forwarding + flags are used to tell the system whether it can forward packets or not. @@ -14174,26 +14174,26 @@ The net.ipv4.ip_forward -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -Setting net.ipv4.ip_forward - and net.ipv6.conf.all.forwarding - to 0 - ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router. + Setting net.ipv4.ip_forward + and net.ipv6.conf.all.forwarding + to 0 + ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router. @@ -14202,10 +14202,10 @@ Setting net.ipv4.ip_forward -Set the following parameter in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.ip_forward = 0 @@ -14215,24 +14215,24 @@ Set the following parameter in Example: # printf '%s\n' "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.ip_forward=0
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.ip_forward=0
+ sysctl -w net.ipv4.route.flush=1
+ } + - IF - - IPv6 is enabled on the system: + IPv6 is enabled on the system: -Set the following parameter in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv6.conf.all.forwarding = 0 @@ -14242,19 +14242,19 @@ Set the following parameter in Example: # printf '%s\n' "net.ipv6.conf.all.forwarding = 0" >> /etc/sysctl.d/60-netipv6_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv6.conf.all.forwarding=0
- sysctl -w net.ipv6.route.flush=1
-} - + {
+ sysctl -w net.ipv6.conf.all.forwarding=0
+ sysctl -w net.ipv6.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten Impact: IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router. @@ -14300,16 +14300,16 @@ Set the following parameter in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw @@ -14324,10 +14324,10 @@ This behavior can be changed by updating the /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.send_redirects = 0 @@ -14340,20 +14340,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.send_redirects = 0" "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.send_redirects=0
- sysctl -w net.ipv4.conf.default.send_redirects=0
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.send_redirects=0
+ sysctl -w net.ipv4.conf.default.send_redirects=0
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten Impact: IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router. @@ -14378,9 +14378,9 @@ Set the following parameters in Ensure bogus icmp responses are ignored -Setting net.ipv4.icmp_ignore_bogus_error_responses - to 1 - prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages. + Setting net.ipv4.icmp_ignore_bogus_error_responses + to 1 + prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages. @@ -14401,16 +14401,16 @@ Setting net.ipv4.icmp_ignore_bogus_ -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw @@ -14425,10 +14425,10 @@ This behavior can be changed by updating the /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.icmp_ignore_bogus_error_responses = 1 @@ -14438,19 +14438,19 @@ Set the following parameter in Example: # printf '%s\n' "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -14466,9 +14466,9 @@ Set the following parameter in Ensure broadcast icmp requests are ignored -Setting net.ipv4.icmp_echo_ignore_broadcasts - to 1 - will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. + Setting net.ipv4.icmp_echo_ignore_broadcasts + to 1 + will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. @@ -14489,16 +14489,16 @@ Setting net.ipv4.icmp_echo_ignore_b -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw @@ -14513,10 +14513,10 @@ This behavior can be changed by updating the /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -14526,19 +14526,19 @@ Set the following parameter in Example: # printf '%s\n' "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -14574,28 +14574,28 @@ Set the following parameter in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects -, net.ipv4.conf.default.accept_redirects -, net.ipv6.conf.all.accept_redirects -, and net.ipv6.conf.default.accept_redirects - to 0 -, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. + ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects + , net.ipv4.conf.default.accept_redirects + , net.ipv6.conf.all.accept_redirects + , and net.ipv6.conf.default.accept_redirects + to 0 + , the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. @@ -14604,10 +14604,10 @@ ICMP redirect messages are packets that convey routing information and tell your -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.accept_redirects = 0 @@ -14620,25 +14620,25 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.accept_redirects = 0" "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.accept_redirects=0
- sysctl -w net.ipv4.conf.default.accept_redirects=0
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.accept_redirects=0
+ sysctl -w net.ipv4.conf.default.accept_redirects=0
+ sysctl -w net.ipv4.route.flush=1
+ } + - IF - - IPv6 is enabled on the system: + IPv6 is enabled on the system: -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv6.conf.all.accept_redirects = 0 @@ -14651,20 +14651,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv6.conf.all.accept_redirects = 0" "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.d/60-netipv6_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv6.conf.all.accept_redirects=0
- sysctl -w net.ipv6.conf.default.accept_redirects=0
- sysctl -w net.ipv6.route.flush=1
-} - + {
+ sysctl -w net.ipv6.conf.all.accept_redirects=0
+ sysctl -w net.ipv6.conf.default.accept_redirects=0
+ sysctl -w net.ipv6.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -14719,26 +14719,26 @@ Set the following parameters in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects - and net.ipv4.conf.default.secure_redirects - to 0 - protects the system from routing table updates by possibly compromised known gateways. + It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects + and net.ipv4.conf.default.secure_redirects + to 0 + protects the system from routing table updates by possibly compromised known gateways. @@ -14747,10 +14747,10 @@ It is still possible for even known gateways to be compromised. Setting -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.secure_redirects = 0 @@ -14763,20 +14763,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.secure_redirects = 0" "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.secure_redirects=0
- sysctl -w net.ipv4.conf.default.secure_redirects=0
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.secure_redirects=0
+ sysctl -w net.ipv4.conf.default.secure_redirects=0
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -14797,11 +14797,11 @@ Set the following parameters in Ensure reverse path filtering is enabled -Setting net.ipv4.conf.all.rp_filter - and net.ipv4.conf.default.rp_filter - to 1 - forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians - is set). + Setting net.ipv4.conf.all.rp_filter + and net.ipv4.conf.default.rp_filter + to 1 + forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians + is set). @@ -14822,26 +14822,26 @@ Setting net.ipv4.conf.all.rp_filter -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -Setting net.ipv4.conf.all.rp_filter - and net.ipv4.conf.default.rp_filter - to 1 - is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. + Setting net.ipv4.conf.all.rp_filter + and net.ipv4.conf.default.rp_filter + to 1 + is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -14850,10 +14850,10 @@ Setting net.ipv4.conf.all.rp_filter -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.rp_filter = 1 @@ -14866,20 +14866,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.rp_filter = 1" "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.rp_filter=1
- sysctl -w net.ipv4.conf.default.rp_filter=1
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.rp_filter=1
+ sysctl -w net.ipv4.conf.default.rp_filter=1
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten Impact: If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -14924,28 +14924,28 @@ Set the following parameters in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -Setting net.ipv4.conf.all.accept_source_route -, net.ipv4.conf.default.accept_source_route -, net.ipv6.conf.all.accept_source_route - and net.ipv6.conf.default.accept_source_route - to 0 - disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing. + Setting net.ipv4.conf.all.accept_source_route + , net.ipv4.conf.default.accept_source_route + , net.ipv6.conf.all.accept_source_route + and net.ipv6.conf.default.accept_source_route + to 0 + disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing. @@ -14954,10 +14954,10 @@ Setting net.ipv4.conf.all.accept_so -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.accept_source_route = 0 @@ -14970,25 +14970,25 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.accept_source_route = 0" "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.accept_source_route=0
- sysctl -w net.ipv4.conf.default.accept_source_route=0
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.accept_source_route=0
+ sysctl -w net.ipv4.conf.default.accept_source_route=0
+ sysctl -w net.ipv4.route.flush=1
+ } + - IF - - IPv6 is enabled on the system: + IPv6 is enabled on the system: -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv6.conf.all.accept_source_route = 0 @@ -15001,20 +15001,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv6.conf.all.accept_source_route = 0" "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.d/60-netipv6_sysctl.conf - + Run the following command to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv6.conf.all.accept_source_route=0
- sysctl -w net.ipv6.conf.default.accept_source_route=0
- sysctl -w net.ipv6.route.flush=1
-} - + {
+ sysctl -w net.ipv6.conf.all.accept_source_route=0
+ sysctl -w net.ipv6.conf.default.accept_source_route=0
+ sysctl -w net.ipv6.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -15074,26 +15074,26 @@ Set the following parameters in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -Setting net.ipv4.conf.all.log_martians - and net.ipv4.conf.default.log_martians - to 1 - enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. + Setting net.ipv4.conf.all.log_martians + and net.ipv4.conf.default.log_martians + to 1 + enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. @@ -15103,10 +15103,10 @@ Setting net.ipv4.conf.all.log_marti -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.conf.all.log_martians = 1 @@ -15119,20 +15119,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv4.conf.all.log_martians = 1" "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.conf.all.log_martians=1
- sysctl -w net.ipv4.conf.default.log_martians=1
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.conf.all.log_martians=1
+ sysctl -w net.ipv4.conf.default.log_martians=1
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -15153,8 +15153,8 @@ Set the following parameters in Ensure tcp syn cookies is enabled -When tcp_syncookies - is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN/ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue. + When tcp_syncookies + is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN/ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue. @@ -15175,25 +15175,25 @@ When tcp_syncookies -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. Setting net.ipv4.tcp_syncookies - to 1 - enables SYN cookies, allowing the system to keep accepting valid connections, even if under a denial of service attack. + Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. Setting net.ipv4.tcp_syncookies + to 1 + enables SYN cookies, allowing the system to keep accepting valid connections, even if under a denial of service attack. @@ -15202,10 +15202,10 @@ Attackers use SYN flood attacks to perform a denial of service attacked on a sys -Set the following parameter in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameter in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv4.tcp_syncookies = 1 @@ -15215,19 +15215,19 @@ Set the following parameter in Example: # printf '%s\n' "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv4.tcp_syncookies=1
- sysctl -w net.ipv4.route.flush=1
-} - + {
+ sysctl -w net.ipv4.tcp_syncookies=1
+ sysctl -w net.ipv4.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -15245,8 +15245,8 @@ Set the following parameter in Routers periodically multicast Router Advertisement messages to announce their availability and convey information to neighboring nodes that enable them to be automatically configured on the network. net.ipv6.conf.all.accept_ra - and net.ipv6.conf.default.accept_ra - determine the systems ability to accept these advertisements + and net.ipv6.conf.default.accept_ra + determine the systems ability to accept these advertisements @@ -15267,26 +15267,26 @@ Set the following parameter in -On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf + On systems with Uncomplicated Firewall, additional settings may be configured in /etc/ufw/sysctl.conf -The settings in /etc/ufw/sysctl.conf - will override settings in /etc/sysctl.conf + The settings in /etc/ufw/sysctl.conf + will override settings in /etc/sysctl.conf -This behavior can be changed by updating the IPT_SYSCTL - parameter in /etc/default/ufw + This behavior can be changed by updating the IPT_SYSCTL + parameter in /etc/default/ufw -It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Setting net.ipv6.conf.all.accept_ra - and net.ipv6.conf.default.accept_ra - to 0 - disables the system's ability to accept IPv6 router advertisements. + It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Setting net.ipv6.conf.all.accept_ra + and net.ipv6.conf.default.accept_ra + to 0 + disables the system's ability to accept IPv6 router advertisements. @@ -15296,12 +15296,12 @@ It is recommended that systems do not accept router advertisements as they could - IF - - IPv6 is enabled on the system: + IPv6 is enabled on the system: -Set the following parameters in /etc/sysctl.conf - or a file in /etc/sysctl.d/ - ending in .conf -: + Set the following parameters in /etc/sysctl.conf + or a file in /etc/sysctl.d/ + ending in .conf + : net.ipv6.conf.all.accept_ra = 0 @@ -15314,20 +15314,20 @@ Set the following parameters in Example: # printf '%s\n' "net.ipv6.conf.all.accept_ra = 0" "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/60-netipv6_sysctl.conf - + Run the following script to set the active kernel parameters: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- sysctl -w net.ipv6.conf.all.accept_ra=0
- sysctl -w net.ipv6.conf.default.accept_ra=0
- sysctl -w net.ipv6.route.flush=1
-} - + {
+ sysctl -w net.ipv6.conf.all.accept_ra=0
+ sysctl -w net.ipv6.conf.default.accept_ra=0
+ sysctl -w net.ipv6.route.flush=1
+ } + Note: - If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten + If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten @@ -15350,44 +15350,44 @@ Set the following parameters in Host Based Firewall A Host Based Firewall, on a Linux system, is a set of rules used to protect machines from any unwanted traffic from outside. It enables users to -control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow it through. + control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow it through. In order to configure firewall rules a firewall utility needs to be installed. Guidance has been included for the following firewall utilities: firewallD -: the firewalld utility can be used for simple firewall use cases. The firewalld utility is easy to use and covers typical use cases. + : the firewalld utility can be used for simple firewall use cases. The firewalld utility is easy to use and covers typical use cases. nftables -: the nftables utility is often used to set up complex and performance-critical firewalls, such as a whole network. + : the nftables utility is often used to set up complex and performance-critical firewalls, such as a whole network. -Only one - method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. + Only one + method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. Note: This section is intended only to ensure the resulting firewall rules are in place, not how they are configured. -The ipset - and iptables-nft - packages have been deprecated in Fedora 34 based Linux distributions. This includes deprecation of nft-variants such as iptables -, ip6tables -, arptables -, and ebtables - utilities. If you are using any of these tools, for example, because you upgraded from an earlier version, we recommend migrating to the nft command line tool provided by the nftables - package. + The ipset + and iptables-nft + packages have been deprecated in Fedora 34 based Linux distributions. This includes deprecation of nft-variants such as iptables + , ip6tables + , arptables + , and ebtables + utilities. If you are using any of these tools, for example, because you upgraded from an earlier version, we recommend migrating to the nft command line tool provided by the nftables + package. firewalld - with nftables - backend does not support passing custom nftables - rules to firewalld -, using the --direct - option. + with nftables + backend does not support passing custom nftables + rules to firewalld + , using the --direct + option. Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy. @@ -15395,12 +15395,12 @@ The ipset Configure a firewall utility -In order to configure firewall rules a firewall utility needs to be installed either nftables - or firewalld - (with default nftables backend). + In order to configure firewall rules a firewall utility needs to be installed either nftables + or firewalld + (with default nftables backend). -Only one - method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. + Only one + method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. Note: @@ -15443,10 +15443,10 @@ Only one -Run the following command to install nftables + Run the following command to install nftables # dnf install nftables - + Impact: Changing firewall settings while connected over the network can result in being locked out of the system. @@ -15466,17 +15466,17 @@ Run the following command to install FirewallD - - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. + - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. NFTables - - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel. + - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel. Notes: -firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct - option. + firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct + option. In order to configure firewall rules for nftables, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results. Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy. @@ -15516,57 +15516,57 @@ firewalld with nftables backend does not support passing custom nftables rules t Run the following script to ensure that a single firewall utility is in use on the system: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_fwd_status="" l_nft_status="" l_fwutil_status=""
- # Determine FirewallD utility Status
- rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
- # Determine NFTables utility Status
- rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
- l_fwutil_status="$l_fwd_status:$l_nft_status"
- case $l_fwutil_status in
- enabled:active:masked:inactive|enabled:active:disabled:inactive)
- echo -e "\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive\n - no remediation required" ;;
- masked:inactive:enabled:active|disabled:inactive:enabled:active)
- echo -e "\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive\n - no remediation required" ;;
- enabled:active:enabled:active)
- echo -e "\n - Both FirewallD and NFTables utilities are enabled and active\n - stopping and masking NFTables utility"
- systemctl stop nftables && systemctl --now mask nftables ;;
- enabled:*:enabled:*)
- echo -e "\n - Both FirewallD and NFTables utilities are enabled\n - remediating"
- if [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "inactive" ]; then
- echo " - masking NFTables utility"
- systemctl stop nftables && systemctl --now mask nftables
- elif [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "inactive" ]; then
- echo " - masking FirewallD utility"
- systemctl stop firewalld && systemctl --now mask firewalld
- fi ;;
- *:active:*:active)
- echo -e "\n - Both FirewallD and NFTables utilities are active\n - remediating"
- if [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" != "enabled" ]; then
- echo " - stopping and masking NFTables utility"
- systemctl stop nftables && systemctl --now mask nftables
- elif [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" != "enabled" ]; then
- echo " - stopping and masking FirewallD utility"
- systemctl stop firewalld && systemctl --now mask firewalld
- fi ;;
- :enabled:active)
- echo -e "\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed\n - no remediation required" ;;
- :)
- echo -e "\n - Neither FirewallD or NFTables is installed.\n - remediating\n - installing NFTables"
- echo -e "\n - Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
- dnf -q install nftables ;;
- *:*:)
- echo -e "\n - NFTables package is not installed on the system\n - remediating\n - installing NFTables"
- echo -e "\n - Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
- dnf -q install nftables ;;
- *)
- echo -e "\n - Unable to determine firewall state"
- echo -e "\n - MANUAL REMEDIATION REQUIRED: Configure only ONE firewall either NFTables OR Firewalld" ;;
- esac
-} - + {
+ l_fwd_status="" l_nft_status="" l_fwutil_status=""
+ # Determine FirewallD utility Status
+ rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
+ # Determine NFTables utility Status
+ rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
+ l_fwutil_status="$l_fwd_status:$l_nft_status"
+ case $l_fwutil_status in
+ enabled:active:masked:inactive|enabled:active:disabled:inactive)
+ echo -e "\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive\n - no remediation required" ;;
+ masked:inactive:enabled:active|disabled:inactive:enabled:active)
+ echo -e "\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive\n - no remediation required" ;;
+ enabled:active:enabled:active)
+ echo -e "\n - Both FirewallD and NFTables utilities are enabled and active\n - stopping and masking NFTables utility"
+ systemctl stop nftables && systemctl --now mask nftables ;;
+ enabled:*:enabled:*)
+ echo -e "\n - Both FirewallD and NFTables utilities are enabled\n - remediating"
+ if [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "inactive" ]; then
+ echo " - masking NFTables utility"
+ systemctl stop nftables && systemctl --now mask nftables
+ elif [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "inactive" ]; then
+ echo " - masking FirewallD utility"
+ systemctl stop firewalld && systemctl --now mask firewalld
+ fi ;;
+ *:active:*:active)
+ echo -e "\n - Both FirewallD and NFTables utilities are active\n - remediating"
+ if [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" != "enabled" ]; then
+ echo " - stopping and masking NFTables utility"
+ systemctl stop nftables && systemctl --now mask nftables
+ elif [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" != "enabled" ]; then
+ echo " - stopping and masking FirewallD utility"
+ systemctl stop firewalld && systemctl --now mask firewalld
+ fi ;;
+ :enabled:active)
+ echo -e "\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed\n - no remediation required" ;;
+ :)
+ echo -e "\n - Neither FirewallD or NFTables is installed.\n - remediating\n - installing NFTables"
+ echo -e "\n - Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
+ dnf -q install nftables ;;
+ *:*:)
+ echo -e "\n - NFTables package is not installed on the system\n - remediating\n - installing NFTables"
+ echo -e "\n - Configure only ONE firewall either NFTables OR Firewalld and follow the according subsection to complete this remediation process"
+ dnf -q install nftables ;;
+ *)
+ echo -e "\n - Unable to determine firewall state"
+ echo -e "\n - MANUAL REMEDIATION REQUIRED: Configure only ONE firewall either NFTables OR Firewalld" ;;
+ esac
+ } + @@ -15623,11 +15623,11 @@ firewalld with nftables backend does not support passing custom nftables rules t firewalld - uses the concepts of zones and services, that simplify the traffic management. Zones are -predefined sets of rules that cover all necessary settings to allow or deny incoming traffic for a specific service and zone. + uses the concepts of zones and services, that simplify the traffic management. Zones are + predefined sets of rules that cover all necessary settings to allow or deny incoming traffic for a specific service and zone. Important: - Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. + Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. Warning: Only one method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. @@ -15636,51 +15636,51 @@ predefined sets of rules that cover all necessary settings to allow or deny inco Note: - IF - nftables - is being used this subsection should be skipped. + is being used this subsection should be skipped. -The following example will create a firewalld - zone called securezone - to implement the firewall rules of this section leveraging the firewalld utility included with the firewalld package. This example will open port 22(ssh) from anywhere. Opening service SSH - should be updated in accordance with local site policy. If another name for the zone is preferred, replace securezone - with the name to be used. + The following example will create a firewalld + zone called securezone + to implement the firewall rules of this section leveraging the firewalld utility included with the firewalld package. This example will open port 22(ssh) from anywhere. Opening service SSH + should be updated in accordance with local site policy. If another name for the zone is preferred, replace securezone + with the name to be used. Sample securezone zone xml file -<?xml version="1.0" encoding="utf-8"?>
-<zone target="DROP">
- <description>For use with CIS Linux Benchmark. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
- <service name="ssh"/>
- <service name="dhcpv6-client"/>
- <icmp-block name="destination-unreachable"/>
- <icmp-block name="packet-too-big"/>
- <icmp-block name="time-exceeded"/>
- <icmp-block name="parameter-problem"/>
- <icmp-block name="neighbour-advertisement"/>
- <icmp-block name="neighbour-solicitation"/>
- <icmp-block name="router-advertisement"/>
- <icmp-block name="router-solicitation"/>
- <rule family="ipv4">
- <source address="127.0.0.1"/>
- <destination address="127.0.0.1" invert="True"/>
- <drop/>
- </rule>
- <rule family="ipv6">
- <source address="::1"/>
- <destination address="::1" invert="True"/>
- <drop/>
- </rule>
- <icmp-block-inversion/>
-</zone> - + <?xml version="1.0" encoding="utf-8"?>
+ <zone target="DROP">
+ <description>For use with CIS Linux Benchmark. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+ <service name="ssh"/>
+ <service name="dhcpv6-client"/>
+ <icmp-block name="destination-unreachable"/>
+ <icmp-block name="packet-too-big"/>
+ <icmp-block name="time-exceeded"/>
+ <icmp-block name="parameter-problem"/>
+ <icmp-block name="neighbour-advertisement"/>
+ <icmp-block name="neighbour-solicitation"/>
+ <icmp-block name="router-advertisement"/>
+ <icmp-block name="router-solicitation"/>
+ <rule family="ipv4">
+ <source address="127.0.0.1"/>
+ <destination address="127.0.0.1" invert="True"/>
+ <drop/>
+ </rule>
+ <rule family="ipv6">
+ <source address="::1"/>
+ <destination address="::1" invert="True"/>
+ <drop/>
+ </rule>
+ <icmp-block-inversion/>
+ </zone> + Note: - To use this zone, save this as /etc/firewalld/zones/securezone.xml - and run the following commands: + To use this zone, save this as /etc/firewalld/zones/securezone.xml + and run the following commands: -# firewall-cmd --reload
-# firewall-cmd --permanent --zone=securezone --change-interface={NAME OF NETWORK INTERFACE} - + # firewall-cmd --reload
+ # firewall-cmd --permanent --zone=securezone --change-interface={NAME OF NETWORK INTERFACE} + Ensure firewalld drops unnecessary services and ports @@ -15699,7 +15699,7 @@ The following example will create a f - IF - NFTables - is being used, this recommendation can be skipped. + is being used, this recommendation can be skipped. Allow port 22(ssh) needs to be updated to only allow systems requiring ssh connectivity to connect, as per site policy. @@ -15735,23 +15735,23 @@ The following example will create a f If Firewalld is in use on the system: Run the following command to remove an unnecessary service: # firewall-cmd --remove-service=<service> - + Example: # firewall-cmd --remove-service=cockpit - + Run the following command to remove an unnecessary port: # firewall-cmd --remove-port=<port-number>/<port-type> - + Example: # firewall-cmd --remove-port=25/tcp - + Run the following command to make new settings persistent: # firewall-cmd --runtime-to-permanent - + @@ -15791,45 +15791,45 @@ The following example will create a f Run the following script to implement the loopback rules: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{ l_hbfw=""
- if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
- echo -e "\n - FirewallD is in use on the system" && l_hbfw="fwd"
- elif systemctl is-enabled nftables.service 2>/dev/null | grep -q 'enabled'; then
- echo -e "\n - nftables is in use on the system \n - Recommendation is NA \n - Remediation Complete" && l_hbfw="nft"
- fi
- if [ "$l_hbfw" = "fwd" ]; then
- l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')"
- if ! nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then
- echo -e "\n - Enabling input to accept for loopback address"
- firewall-cmd --permanent --zone=trusted --add-interface=lo
- firewall-cmd --reload
- else
- echo -e "\n - firewalld input correctly set to accept for loopback address"
- if ! grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then
- echo -e "\n - Setting IPv4 network traffic from loopback address to drop"
- firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
- firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
- firewall-cmd --reload
- else
- echo -e "\n - firewalld correctly set IPv4 network traffic from loopback address to drop"
- fi
- if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then
- l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
- if ! grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then
- echo -e "\n - Setting IPv6 network traffic from loopback address to drop"
- firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
- firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
- firewall-cmd --reload
- else
- echo -e "\n - firewalld correctly set IPv6 network traffic from loopback address to drop"
- fi
- fi
- fi
- fi
-} - + { l_hbfw=""
+ if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
+ echo -e "\n - FirewallD is in use on the system" && l_hbfw="fwd"
+ elif systemctl is-enabled nftables.service 2>/dev/null | grep -q 'enabled'; then
+ echo -e "\n - nftables is in use on the system \n - Recommendation is NA \n - Remediation Complete" && l_hbfw="nft"
+ fi
+ if [ "$l_hbfw" = "fwd" ]; then
+ l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')"
+ if ! nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then
+ echo -e "\n - Enabling input to accept for loopback address"
+ firewall-cmd --permanent --zone=trusted --add-interface=lo
+ firewall-cmd --reload
+ else
+ echo -e "\n - firewalld input correctly set to accept for loopback address"
+ if ! grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then
+ echo -e "\n - Setting IPv4 network traffic from loopback address to drop"
+ firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
+ firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
+ firewall-cmd --reload
+ else
+ echo -e "\n - firewalld correctly set IPv4 network traffic from loopback address to drop"
+ fi
+ if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then
+ l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
+ if ! grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then
+ echo -e "\n - Setting IPv6 network traffic from loopback address to drop"
+ firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
+ firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
+ firewall-cmd --reload
+ else
+ echo -e "\n - firewalld correctly set IPv6 network traffic from loopback address to drop"
+ fi
+ fi
+ fi
+ fi
+ } + @@ -15845,18 +15845,18 @@ The following example will create a f Configure NFTables -The nftables - framework classifies packets and it is the successor to the iptables -, ip6tables -, arptables -, ebtables -, and ipset - utilities. The nftables - framework uses tables to store chains. The chains contain individual rules for performing actions. The nft - utility replaces all tools from the previous packet-filtering frameworks. + The nftables + framework classifies packets and it is the successor to the iptables + , ip6tables + , arptables + , ebtables + , and ipset + utilities. The nftables + framework uses tables to store chains. The chains contain individual rules for performing actions. The nft + utility replaces all tools from the previous packet-filtering frameworks. Important: - Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. + Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. Warning: Only one method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results. @@ -15865,69 +15865,69 @@ The nftables Note: - IF - firewalld - is being used this subsection should be skipped. + is being used this subsection should be skipped. -The following will implement the firewall rules of this section leveraging the nftables - utility included with the nftables - package. This example will open ICMP, IGMP, and port 22(ssh) from anywhere. Opening the ports for ICMP, IGMP, and port 22(ssh) needs to be updated in accordance with local site policy. Allow port 22(ssh) should to be updated to only allow systems requiring ssh connectivity to connect, as per site policy. + The following will implement the firewall rules of this section leveraging the nftables + utility included with the nftables + package. This example will open ICMP, IGMP, and port 22(ssh) from anywhere. Opening the ports for ICMP, IGMP, and port 22(ssh) needs to be updated in accordance with local site policy. Allow port 22(ssh) should to be updated to only allow systems requiring ssh connectivity to connect, as per site policy. -Save the script below as /etc/nftables/nftables_rules.nft + Save the script below as /etc/nftables/nftables_rules.nft -#!/usr/sbin/nft -f
+ #!/usr/sbin/nft -f

-# flush nftables rulesset
-flush ruleset
+ # flush nftables rulesset
+ flush ruleset

-# Load nftables ruleset
-# nftables config with inet table named filter
+ # Load nftables ruleset
+ # nftables config with inet table named filter

-table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
+ table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;

- # allow loopback if not forged
- iif lo accept
- iif != lo ip saddr 127.0.0.1/8 drop
- iif != lo ip6 saddr ::1/128 drop
+ # allow loopback if not forged
+ iif lo accept
+ iif != lo ip saddr 127.0.0.1/8 drop
+ iif != lo ip6 saddr ::1/128 drop

- # allow connections made by ourselves
- ip protocol tcp ct state established accept
- ip protocol udp ct state established accept
- ip protocol icmp ct state established accept
+ # allow connections made by ourselves
+ ip protocol tcp ct state established accept
+ ip protocol udp ct state established accept
+ ip protocol icmp ct state established accept

- # allow from anywhere
- ip protocol igmp accept
- tcp dport ssh accept
+ # allow from anywhere
+ ip protocol igmp accept
+ tcp dport ssh accept

- # allow some icmp
- icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
- icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
- }
+ # allow some icmp
+ icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
+ icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
+ }

- chain forward {
- # drop all forward
- type filter hook forward priority 0; policy drop;
- }
+ chain forward {
+ # drop all forward
+ type filter hook forward priority 0; policy drop;
+ }

- chain output {
- # can omit this as its accept by default
- type filter hook output priority 0; policy accept;
- }
-} - + chain output {
+ # can omit this as its accept by default
+ type filter hook output priority 0; policy accept;
+ }
+ } + Run the following command to run nftables script by passing it to the nft utility: # nft -f /etc/nftables/nftables_rules.nft - + Note: - All changes in the nftables subsections are temporary + All changes in the nftables subsections are temporary To make these changes permanent and automatically load nftables rules when the system boots: -Add the following line to /etc/sysconfig/nftables.conf + Add the following line to /etc/sysconfig/nftables.conf include "/etc/nftables/nftables_rules.nft" - + Ensure nftables base chains exist @@ -15937,7 +15937,7 @@ Add the following line to /etc/syscon Note: - IF - Firewalld - is in use, this recommendation can be skipped. + is in use, this recommendation can be skipped. @@ -15971,30 +15971,30 @@ Add the following line to /etc/syscon - IF - NFTables - utility is in use on your system: + utility is in use on your system: Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \; } - + Example: -# nft create chain inet filter input { type filter hook input priority 0 \; }
-# nft create chain inet filter forward { type filter hook forward priority 0 \; }
-# nft create chain inet filter output { type filter hook output priority 0 \; } - + # nft create chain inet filter input { type filter hook input priority 0 \; }
+ # nft create chain inet filter forward { type filter hook forward priority 0 \; }
+ # nft create chain inet filter output { type filter hook output priority 0 \; } + Note: - use the add - command if the create - command returns an error due to the chain already existing. + use the add + command if the create + command returns an error due to the chain already existing. Impact: -If configuring over ssh, creating - a base chain - with a policy of drop - will cause loss of connectivity. + If configuring over ssh, creating + a base chain + with a policy of drop + will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop @@ -16040,7 +16040,7 @@ If configuring over ssh, crea Note: - IF - Firewalld - is in use, this recommendation can be skipped. + is in use, this recommendation can be skipped. @@ -16073,13 +16073,13 @@ If configuring over ssh, crea - IF - NFTables - utility is in use on your system: + utility is in use on your system: Configure nftables in accordance with site policy. The following commands will implement a policy to allow all established connections: -# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol tcp ct state established accept
-# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol udp ct state established accept
-# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol icmp ct state established accept - + # systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol tcp ct state established accept
+ # systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol udp ct state established accept
+ # systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol icmp ct state established accept + @@ -16109,8 +16109,8 @@ If configuring over ssh, crea -There are two policies: accept (Default) and drop. If the policy is set to accept -, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. + There are two policies: accept (Default) and drop. If the policy is set to accept + , the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: @@ -16119,7 +16119,7 @@ There are two policies: accept (Default) and drop. If the policy is set to - IF - Firewalld - is in use, this recommendation can be skipped. + is in use, this recommendation can be skipped. Changing firewall settings while connected over the network can result in being locked out of the system. @@ -16134,24 +16134,24 @@ There are two policies: accept (Default) and drop. If the policy is set to - IF - NFTables - utility is in use on your system: + utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \; } - + Example: -# nft chain inet filter input { policy drop \; }
-# nft chain inet filter forward { policy drop \; } - + # nft chain inet filter input { policy drop \; }
+ # nft chain inet filter forward { policy drop \; } + Impact: If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. -Ensure that a rule allowing ssh - has been added to the base chain prior to setting the base chain's policy to drop + Ensure that a rule allowing ssh + has been added to the base chain prior to setting the base chain's policy to drop @@ -16217,40 +16217,40 @@ Ensure that a rule allowing Run the following script to implement the loopback rules: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{ l_hbfw=""
- if systemctl is-enabled firewalld.service 2>/dev/null | grep -q 'enabled'; then
- echo -e "\n - FirewallD is in use on the system\n - Recommendation is NA \n - Remediation Complete" && l_hbfw="fwd"
- elif systemctl is-enabled nftables.service | grep -q 'enabled'; then
- l_hbfw="nft"
- fi
- if [ "$l_hbfw" = "nft" ]; then
- l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')"
- if ! nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then
- echo -e "\n - Enabling input to accept for loopback address"
- nft add rule inet filter input iif lo accept
- else
- echo -e "\n -nftables input correctly configured to accept for loopback address"
- fi
- if ! grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then
- echo -e "\n - Setting IPv4 network traffic from loopback address to drop"
- nft add rule inet filter input ip saddr 127.0.0.0/8 counter drop
- else
- echo -e "\n -nftables correctly configured IPv4 network traffic from loopback address to drop"
- fi
- if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then
- l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
- if ! grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then
- echo -e "\n - Setting IPv6 network traffic from loopback address to drop"
- nft add rule inet filter input ip6 saddr ::1 counter drop
- else
- echo -e "\n - nftables IPv6 network traffic from loopback address to drop"
- fi
- fi
- fi
-} - + { l_hbfw=""
+ if systemctl is-enabled firewalld.service 2>/dev/null | grep -q 'enabled'; then
+ echo -e "\n - FirewallD is in use on the system\n - Recommendation is NA \n - Remediation Complete" && l_hbfw="fwd"
+ elif systemctl is-enabled nftables.service | grep -q 'enabled'; then
+ l_hbfw="nft"
+ fi
+ if [ "$l_hbfw" = "nft" ]; then
+ l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')"
+ if ! nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then
+ echo -e "\n - Enabling input to accept for loopback address"
+ nft add rule inet filter input iif lo accept
+ else
+ echo -e "\n -nftables input correctly configured to accept for loopback address"
+ fi
+ if ! grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then
+ echo -e "\n - Setting IPv4 network traffic from loopback address to drop"
+ nft add rule inet filter input ip saddr 127.0.0.0/8 counter drop
+ else
+ echo -e "\n -nftables correctly configured IPv4 network traffic from loopback address to drop"
+ fi
+ if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then
+ l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
+ if ! grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then
+ echo -e "\n - Setting IPv6 network traffic from loopback address to drop"
+ nft add rule inet filter input ip6 saddr ::1 counter drop
+ else
+ echo -e "\n - nftables IPv6 network traffic from loopback address to drop"
+ fi
+ fi
+ fi
+ } + @@ -16270,77 +16270,77 @@ Ensure that a rule allowing Configure SSH Server -Secure Shell (SSH) is a secure, encrypted replacement for common login services such as telnet -, ftp -, rlogin -, rsh -, and rcp -. It is strongly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network. + Secure Shell (SSH) is a secure, encrypted replacement for common login services such as telnet + , ftp + , rlogin + , rsh + , and rcp + . It is strongly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network. Note: -The recommendations in this section only apply if the SSH daemon is installed on the system, if remote access is not required the SSH daemon can be removed and this section skipped -. + The recommendations in this section only apply if the SSH daemon is installed on the system, if remote access is not required the SSH daemon can be removed and this section skipped + . -The openSSH daemon configuration directives, Include - and Match -, may cause the audits in this section's recommendations to report incorrectly. It is recommended that these options only be used if they're needed and fully understood. If these options are configured in accordance with local site policy, they should be accounted for when following the recommendations in this section. + The openSSH daemon configuration directives, Include + and Match + , may cause the audits in this section's recommendations to report incorrectly. It is recommended that these options only be used if they're needed and fully understood. If these options are configured in accordance with local site policy, they should be accounted for when following the recommendations in this section. -The default Include - location is the /etc/ssh/sshd_config.d - directory. This default has been accounted for in this section. If a file has an additional Include - that isn't this default location, the files should be reviewed to verify that the recommended setting is not being over-ridden. + The default Include + location is the /etc/ssh/sshd_config.d + directory. This default has been accounted for in this section. If a file has an additional Include + that isn't this default location, the files should be reviewed to verify that the recommended setting is not being over-ridden. -The audits of the running configuration in this section are run in the context of the root user, the local host name, and the local host's IP address. If a Match - block exists that matches one of these criteria, the output of the audit will be from the match block. The respective matched criteria should be replaced with a non-matching substitution. + The audits of the running configuration in this section are run in the context of the root user, the local host name, and the local host's IP address. If a Match + block exists that matches one of these criteria, the output of the audit will be from the match block. The respective matched criteria should be replaced with a non-matching substitution. Include -: - + : + Include the specified configuration file(s). Multiple pathnames may be specified and each pathname may contain glob(7) wildcards that will be expanded and processed in lexical order. -Files without absolute paths are assumed to be in /etc/ssh/ -. + Files without absolute paths are assumed to be in /etc/ssh/ + . An Include directive may appear inside a Match block to perform conditional inclusion. Match -: - + : + Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied. The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5). -The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 - or 2001:db8::/32 -. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 - and 192.0.2.0/8 -, respectively. + The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 + or 2001:db8::/32 + . Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 + and 192.0.2.0/8 + , respectively. Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are available in the ssh_config man page. -Once all configuration changes have been made to /etc/ssh/sshd_config - or any included configuration files, the sshd - configuration must be reloaded + Once all configuration changes have been made to /etc/ssh/sshd_config + or any included configuration files, the sshd + configuration must be reloaded Command to re-load the SSH daemon configuration: # systemctl reload-or-restart sshd - + Ensure permissions on /etc/ssh/sshd_config are configured -The file /etc/ssh/sshd_config -, and files ending in .conf - in the /etc/ssh/sshd_config.d - directory, contain configuration specifications for sshd -. + The file /etc/ssh/sshd_config + , and files ending in .conf + in the /etc/ssh/sshd_config.d + directory, contain configuration specifications for sshd + . @@ -16362,8 +16362,8 @@ The file /etc/ssh/sshd_config -configuration specifications for sshd - need to be protected from unauthorized changes by non-privileged users. + configuration specifications for sshd + need to be protected from unauthorized changes by non-privileged users. @@ -16372,29 +16372,29 @@ configuration specifications for ss -Run the following script to set ownership and permissions on /etc/ssh/sshd_config - and files ending in .conf - in the /etc/ssh/sshd_config.d - directory: + Run the following script to set ownership and permissions on /etc/ssh/sshd_config + and files ending in .conf + in the /etc/ssh/sshd_config.d + directory: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- chmod u-x,og-rwx /etc/ssh/sshd_config
- chown root:root /etc/ssh/sshd_config
- while IFS= read -r -d $'\0' l_file; do
- if [ -e "$l_file" ]; then
- chmod u-x,og-rwx "$l_file"
- chown root:root "$l_file"
- fi
- done < <(find /etc/ssh/sshd_config.d -type f -print0 2>/dev/null)
-} - + {
+ chmod u-x,og-rwx /etc/ssh/sshd_config
+ chown root:root /etc/ssh/sshd_config
+ while IFS= read -r -d $'\0' l_file; do
+ if [ -e "$l_file" ]; then
+ chmod u-x,og-rwx "$l_file"
+ chown root:root "$l_file"
+ fi
+ done < <(find /etc/ssh/sshd_config.d -type f -print0 2>/dev/null)
+ } + - IF - - other locations are listed in an Include - statement, *.conf - files in these locations access should also be modified. + other locations are listed in an Include + statement, *.conf + files in these locations access should also be modified. @@ -16478,52 +16478,52 @@ Run the following script to set ownership and permissions on Run the following script to set mode, ownership, and group on the private SSH host key files: -{
- l_output="" l_output2=""
- l_ssh_group_name="$(awk -F: '($1 ~ /^(ssh_keys|_?ssh)$/) {print $1}' /etc/group)"
- f_file_access_fix()
- {
- while IFS=: read -r l_file_mode l_file_owner l_file_group; do
- echo "File: \"$l_file\" mode: \"$l_file_mode\" owner \"$l_file_owner\" group \"$l_file_group\""
- l_out2=""
- [ "$l_file_group" = "$l_ssh_group_name" ] && l_pmask="0137" || l_pmask="0177"
- l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
- if [ $(( $l_file_mode & $l_pmask )) -gt 0 ]; then
- l_out2="$l_out2\n - Mode: \"$l_file_mode\" should be mode: \"$l_maxperm\" or more restrictive\n - updating to mode: \:$l_maxperm\""
- if [ "l_file_group" = "$l_ssh_group_name" ]; then
- chmod u-x,g-wx,o-rwx "$l_file"
- else
- chmod u-x,go-rwx "$l_file"
- fi
- fi
- if [ "$l_file_owner" != "root" ]; then
- l_out2="$l_out2\n - Owned by: \"$l_file_owner\" should be owned by \"root\"\n - Changing ownership to \"root\""
- chown root "$l_file"
- fi
- if [[ ! "$l_file_group" =~ ($l_ssh_group_name|root) ]]; then
- [ -n "$l_ssh_group_name" ] && l_new_group="$l_ssh_group_name" || l_new_group="root"
- l_out2="$l_out2\n - Owned by group \"$l_file_group\" should be group owned by: \"$l_ssh_group_name\" or \"root\"\n - Changing group ownership to \"$l_new_group\""
- chgrp "$l_new_group" "$l_file"
- fi
- if [ -n "$l_out2" ]; then
- l_output2="$l_output2\n - File: \"$l_file\"$l_out2"
- else
- l_output="$l_output\n - File: \"$l_file\"\n - Correct: mode: \"$l_file_mode\", owner: \"$l_file_owner\", and group owner: \"$l_file_group\" configured"
- fi
- done < <(stat -Lc '%#a:%U:%G' "$l_file")
- }
- while IFS= read -r -d $'\0' l_file; do
- if ssh-keygen -lf &>/dev/null "$l_file"; then
- file "$l_file" | grep -Piq -- '\bopenssh\h+([^#\n\r]+\h+)?private\h+key\b' && f_file_access_fix
- fi
- done < <(find -L /etc/ssh -xdev -type f -print0 2>/dev/null)
- if [ -z "$l_output2" ]; then
- echo -e "\n- No access changes required\n"
- else
- echo -e "\n- Remediation results:\n$l_output2\n"
- fi
-} - + {
+ l_output="" l_output2=""
+ l_ssh_group_name="$(awk -F: '($1 ~ /^(ssh_keys|_?ssh)$/) {print $1}' /etc/group)"
+ f_file_access_fix()
+ {
+ while IFS=: read -r l_file_mode l_file_owner l_file_group; do
+ echo "File: \"$l_file\" mode: \"$l_file_mode\" owner \"$l_file_owner\" group \"$l_file_group\""
+ l_out2=""
+ [ "$l_file_group" = "$l_ssh_group_name" ] && l_pmask="0137" || l_pmask="0177"
+ l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
+ if [ $(( $l_file_mode & $l_pmask )) -gt 0 ]; then
+ l_out2="$l_out2\n - Mode: \"$l_file_mode\" should be mode: \"$l_maxperm\" or more restrictive\n - updating to mode: \:$l_maxperm\""
+ if [ "l_file_group" = "$l_ssh_group_name" ]; then
+ chmod u-x,g-wx,o-rwx "$l_file"
+ else
+ chmod u-x,go-rwx "$l_file"
+ fi
+ fi
+ if [ "$l_file_owner" != "root" ]; then
+ l_out2="$l_out2\n - Owned by: \"$l_file_owner\" should be owned by \"root\"\n - Changing ownership to \"root\""
+ chown root "$l_file"
+ fi
+ if [[ ! "$l_file_group" =~ ($l_ssh_group_name|root) ]]; then
+ [ -n "$l_ssh_group_name" ] && l_new_group="$l_ssh_group_name" || l_new_group="root"
+ l_out2="$l_out2\n - Owned by group \"$l_file_group\" should be group owned by: \"$l_ssh_group_name\" or \"root\"\n - Changing group ownership to \"$l_new_group\""
+ chgrp "$l_new_group" "$l_file"
+ fi
+ if [ -n "$l_out2" ]; then
+ l_output2="$l_output2\n - File: \"$l_file\"$l_out2"
+ else
+ l_output="$l_output\n - File: \"$l_file\"\n - Correct: mode: \"$l_file_mode\", owner: \"$l_file_owner\", and group owner: \"$l_file_group\" configured"
+ fi
+ done < <(stat -Lc '%#a:%U:%G' "$l_file")
+ }
+ while IFS= read -r -d $'\0' l_file; do
+ if ssh-keygen -lf &>/dev/null "$l_file"; then
+ file "$l_file" | grep -Piq -- '\bopenssh\h+([^#\n\r]+\h+)?private\h+key\b' && f_file_access_fix
+ fi
+ done < <(find -L /etc/ssh -xdev -type f -print0 2>/dev/null)
+ if [ -z "$l_output2" ]; then
+ echo -e "\n- No access changes required\n"
+ else
+ echo -e "\n- Remediation results:\n$l_output2\n"
+ fi
+ } + @@ -16571,46 +16571,46 @@ Run the following script to set ownership and permissions on Run the following script to set mode, ownership, and group on the public SSH host key files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_output="" l_output2=""
- l_pmask="0133" && l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
- FILE_ACCESS_FIX()
- {
- while IFS=: read -r l_file_mode l_file_owner l_file_group; do
- l_out2=""
- if [ $(( $l_file_mode & $l_pmask )) -gt 0 ]; then
- l_out2="$l_out2\n - Mode: \"$l_file_mode\" should be mode: \"$l_maxperm\" or more restrictive\n - updating to mode: \:$l_maxperm\""
- chmod u-x,go-wx
- fi
- if [ "$l_file_owner" != "root" ]; then
- l_out2="$l_out2\n - Owned by: \"$l_file_owner\" should be owned by \"root\"\n - Changing ownership to \"root\""
- chown root "$l_file"
- fi
- if [ "$l_file_group" != "root" ]; then
- l_out2="$l_out2\n - Owned by group \"$l_file_group\" should be group owned by: \"root\"\n - Changing group ownership to \"root\""
- chgrp root "$l_file"
- fi
- if [ -n "$l_out2" ]; then
- l_output2="$l_output2\n - File: \"$l_file\"$l_out2"
- else
- l_output="$l_output\n - File: \"$l_file\"\n - Correct: mode: \"$l_file_mode\", owner: \"$l_file_owner\", and group owner: \"$l_file_group\" configured"
- fi
- done < <(stat -Lc '%#a:%U:%G' "$l_file")
- }
- while IFS= read -r -d $'\0' l_file; do
- if ssh-keygen -lf &>/dev/null "$l_file"; then
- file "$l_file" | grep -Piq -- '\bopenssh\h+([^#\n\r]+\h+)?public\h+key\b' && FILE_ACCESS_FIX
- fi
- done < <(find -L /etc/ssh -xdev -type f -print0 2>/dev/null)
- if [ -z "$l_output2" ]; then
- echo -e "\n- No access changes required\n"
- else
- echo -e "\n- Remediation results:\n$l_output2\n"
- fi
-} - + {
+ l_output="" l_output2=""
+ l_pmask="0133" && l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
+ FILE_ACCESS_FIX()
+ {
+ while IFS=: read -r l_file_mode l_file_owner l_file_group; do
+ l_out2=""
+ if [ $(( $l_file_mode & $l_pmask )) -gt 0 ]; then
+ l_out2="$l_out2\n - Mode: \"$l_file_mode\" should be mode: \"$l_maxperm\" or more restrictive\n - updating to mode: \:$l_maxperm\""
+ chmod u-x,go-wx
+ fi
+ if [ "$l_file_owner" != "root" ]; then
+ l_out2="$l_out2\n - Owned by: \"$l_file_owner\" should be owned by \"root\"\n - Changing ownership to \"root\""
+ chown root "$l_file"
+ fi
+ if [ "$l_file_group" != "root" ]; then
+ l_out2="$l_out2\n - Owned by group \"$l_file_group\" should be group owned by: \"root\"\n - Changing group ownership to \"root\""
+ chgrp root "$l_file"
+ fi
+ if [ -n "$l_out2" ]; then
+ l_output2="$l_output2\n - File: \"$l_file\"$l_out2"
+ else
+ l_output="$l_output\n - File: \"$l_file\"\n - Correct: mode: \"$l_file_mode\", owner: \"$l_file_owner\", and group owner: \"$l_file_group\" configured"
+ fi
+ done < <(stat -Lc '%#a:%U:%G' "$l_file")
+ }
+ while IFS= read -r -d $'\0' l_file; do
+ if ssh-keygen -lf &>/dev/null "$l_file"; then
+ file "$l_file" | grep -Piq -- '\bopenssh\h+([^#\n\r]+\h+)?public\h+key\b' && FILE_ACCESS_FIX
+ fi
+ done < <(find -L /etc/ssh -xdev -type f -print0 2>/dev/null)
+ if [ -z "$l_output2" ]; then
+ echo -e "\n- No access changes required\n"
+ else
+ echo -e "\n- Remediation results:\n$l_output2\n"
+ fi
+ } + @@ -16635,8 +16635,8 @@ Run the following script to set ownership and permissions on Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy. -The only "strong" ciphers currently FIPS 140 compliant are: - + The only "strong" ciphers currently FIPS 140 compliant are: + aes256-gcm@openssh.com @@ -16695,77 +16695,77 @@ The only "strong" ciphers currently FIPS 140 compliant are: First occurrence of an option takes precedence. -Though ciphers may be configured through the Ciphers - option in the /etc/ssh/sshd_config - file, it is recommended that the ciphers available to openSSH server are configured through system-wide-crypto-policy + Though ciphers may be configured through the Ciphers + option in the /etc/ssh/sshd_config + file, it is recommended that the ciphers available to openSSH server are configured through system-wide-crypto-policy If the recommendations in the subsection "Configure system wide crypto policy" have been followed, this Audit should be in a passing state. Please review that section before following this Remediation Procedure -By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config - be added before any lines containing the Cipher - argument. + By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config + be added before any lines containing the Cipher + argument. -Defaults: - + Defaults: + -The file /etc/ssh/sshd_config - includes the line: Include /etc/ssh/sshd_config.d/*.conf -. This line must appear before any lines containing the Cipher - argument + The file /etc/ssh/sshd_config + includes the line: Include /etc/ssh/sshd_config.d/*.conf + . This line must appear before any lines containing the Cipher + argument -This directory /etc/ssh/sshd_config.d/ - includes a file /etc/ssh/sshd_config.d/50-redhat.conf + This directory /etc/ssh/sshd_config.d/ + includes a file /etc/ssh/sshd_config.d/50-redhat.conf -The file /etc/ssh/sshd_config.d/50-redhat.conf - includes the line Include /etc/crypto-policies/back-ends/opensshserver.config + The file /etc/ssh/sshd_config.d/50-redhat.conf + includes the line Include /etc/crypto-policies/back-ends/opensshserver.config -The file /etc/crypto-policies/back-ends/opensshserver.config - is generated by system-wide-crypto-policy + The file /etc/crypto-policies/back-ends/opensshserver.config + is generated by system-wide-crypto-policy - IF - CVE-2023-48795 - has been addressed, and it meets local site policy, chacha20-poly1305 - may be removed from the list of excluded ciphers. + has been addressed, and it meets local site policy, chacha20-poly1305 + may be removed from the list of excluded ciphers. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify the the following line: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify the the following line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 - + Example: # printf '%s\n' "# This is a subpolicy to disable weak ciphers" "# for the SSH protocol (libssh and OpenSSH)" "cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305" >> /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: # update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20:NO-SSHWEAKCIPHERS - + Run the following command to reload the openSSH server to make your cryptographic settings effective: # systemctl reload-or-restart sshd - + - OR - - If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended -) + If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended + ) -Edit the /etc/ssh/sshd_config file and add/modify the Ciphers - line to contain a comma separated list of the site unapproved (weak) Ciphers preceded with a - - above any Include - entries: + Edit the /etc/ssh/sshd_config file and add/modify the Ciphers + line to contain a comma separated list of the site unapproved (weak) Ciphers preceded with a - + above any Include + entries: Example: Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,chacha20-poly1305@openssh.com - + @@ -16792,8 +16792,8 @@ Edit the /etc/ssh/sshd_config file and add/modify the Some organizations may have stricter requirements for approved Key exchange algorithms Ensure that Key exchange algorithms used are in compliance with site policy -The only Key Exchange Algorithms currently FIPS 140 approved are: - + The only Key Exchange Algorithms currently FIPS 140 approved are: + ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 @@ -16825,20 +16825,20 @@ The only Key Exchange Algorithms currently FIPS 140 approved are: The supported algorithms are: -curve25519-sha256
-curve25519-sha256@libssh.org
-diffie-hellman-group1-sha1
-diffie-hellman-group14-sha1
-diffie-hellman-group14-sha256
-diffie-hellman-group16-sha512
-diffie-hellman-group18-sha512
-diffie-hellman-group-exchange-sha1
-diffie-hellman-group-exchange-sha256
-ecdh-sha2-nistp256
-ecdh-sha2-nistp384
-ecdh-sha2-nistp521
-sntrup4591761x25519-sha512@tinyssh.org - + curve25519-sha256
+ curve25519-sha256@libssh.org
+ diffie-hellman-group1-sha1
+ diffie-hellman-group14-sha1
+ diffie-hellman-group14-sha256
+ diffie-hellman-group16-sha512
+ diffie-hellman-group18-sha512
+ diffie-hellman-group-exchange-sha1
+ diffie-hellman-group-exchange-sha256
+ ecdh-sha2-nistp256
+ ecdh-sha2-nistp384
+ ecdh-sha2-nistp521
+ sntrup4591761x25519-sha512@tinyssh.org + @@ -16859,33 +16859,33 @@ sntrup4591761x25519-sha512@tinyssh.org First occurrence of an option takes precedence. -Though key_exchange may be configured through the KexAlgorithms - option in the /etc/ssh/sshd_config - file, it is recommended that the key_exchange available to openSSH server are configured through system-wide-crypto-policy + Though key_exchange may be configured through the KexAlgorithms + option in the /etc/ssh/sshd_config + file, it is recommended that the key_exchange available to openSSH server are configured through system-wide-crypto-policy If the recommendations in the subsection "Configure system wide crypto policy" have been followed, this Audit should be in a passing state. Please review that section before following this Remediation Procedure -By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config - be added before any lines containing the KexAlgorithms - argument. + By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config + be added before any lines containing the KexAlgorithms + argument. -Defaults: - + Defaults: + -The file /etc/ssh/sshd_config - includes the line: Include /etc/ssh/sshd_config.d/*.conf -. This line must appear before any lines containing the KexAlgorithms - argument + The file /etc/ssh/sshd_config + includes the line: Include /etc/ssh/sshd_config.d/*.conf + . This line must appear before any lines containing the KexAlgorithms + argument -This directory /etc/ssh/sshd_config.d/ - includes a file /etc/ssh/sshd_config.d/50-redhat.conf + This directory /etc/ssh/sshd_config.d/ + includes a file /etc/ssh/sshd_config.d/50-redhat.conf -The file /etc/ssh/sshd_config.d/50-redhat.conf - includes the line Include /etc/crypto-policies/back-ends/opensshserver.config + The file /etc/ssh/sshd_config.d/50-redhat.conf + includes the line Include /etc/crypto-policies/back-ends/opensshserver.config -The file /etc/crypto-policies/back-ends/opensshserver.config - is generated by system-wide-crypto-policy + The file /etc/crypto-policies/back-ends/opensshserver.config + is generated by system-wide-crypto-policy @@ -16894,45 +16894,45 @@ The file /etc/crypto-poli This is and excerpt of the Remediation Procedure from "Ensure system wide crypto policy disables sha1 hash and signature support": -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify the following lines: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify the following lines: -hash = -SHA1
-sign = -*-SHA1
-sha1_in_certs = 0 - + hash = -SHA1
+ sign = -*-SHA1
+ sha1_in_certs = 0 + Example: # printf '%s\n' "# This is a subpolicy dropping the SHA1 hash and signature support" "hash = -SHA1" "sign = -*-SHA1" "sha1_in_certs = 0" >> /etc/crypto-policies/policies/modules/NO-SHA1.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: # update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20:NO-SSHETM:NO-SSHWEAKCIPHERS - + Run the following command to reload the openSSH server to make your cryptographic settings effective: # systemctl reload-or-restart sshd - + - OR - - If system-wide-crypto-policy is not being used to configure available KexAlgorithms ( This is not recommended -) + If system-wide-crypto-policy is not being used to configure available KexAlgorithms ( This is not recommended + ) -Edit the /etc/ssh/sshd_config - file and add/modify the KexAlgorithms - line to contain a comma separated list of the site unapproved (weak) KexAlgorithms preceded with a - - above any Include - entries: + Edit the /etc/ssh/sshd_config + file and add/modify the KexAlgorithms + line to contain a comma separated list of the site unapproved (weak) KexAlgorithms preceded with a - + above any Include + entries: Example: KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 - + @@ -16958,8 +16958,8 @@ Edit the /etc/ssh/sshd_configSome organizations may have stricter requirements for approved MACs. Ensure that MACs used are in compliance with site policy. -The only "strong" MACs currently FIPS 140 approved are: - + The only "strong" MACs currently FIPS 140 approved are: + HMAC-SHA1 HMAC-SHA2-256 HMAC-SHA2-384 @@ -17010,84 +17010,84 @@ The only "strong" MACs currently FIPS 140 approved are: First occurrence of an option takes precedence. -Though MACs may be configured through the MACs - option in the /etc/ssh/sshd_config - file, it is recommended that the MACs available to openSSH server are configured through system-wide-crypto-policy + Though MACs may be configured through the MACs + option in the /etc/ssh/sshd_config + file, it is recommended that the MACs available to openSSH server are configured through system-wide-crypto-policy If the recommendations in the subsection "Configure system wide crypto policy" have been followed, this Audit should be in a passing state. Please review that section before following this Remediation Procedure -By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config - be added before any lines containing the MACs - argument. + By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config + be added before any lines containing the MACs + argument. -Defaults: - + Defaults: + -The file /etc/ssh/sshd_config - includes the line: Include /etc/ssh/sshd_config.d/*.conf -. This line must appear before any lines containing the MACs - argument + The file /etc/ssh/sshd_config + includes the line: Include /etc/ssh/sshd_config.d/*.conf + . This line must appear before any lines containing the MACs + argument -This directory /etc/ssh/sshd_config.d/ - includes a file /etc/ssh/sshd_config.d/50-redhat.conf + This directory /etc/ssh/sshd_config.d/ + includes a file /etc/ssh/sshd_config.d/50-redhat.conf -The file /etc/ssh/sshd_config.d/50-redhat.conf - includes the line Include /etc/crypto-policies/back-ends/opensshserver.config + The file /etc/ssh/sshd_config.d/50-redhat.conf + includes the line Include /etc/crypto-policies/back-ends/opensshserver.config -The file /etc/crypto-policies/back-ends/opensshserver.config - is generated by system-wide-crypto-policy + The file /etc/crypto-policies/back-ends/opensshserver.config + is generated by system-wide-crypto-policy - IF - CVE-2023-48795 - has not been reviewed and addressed, Recommendation "Ensure system wide crypto policy disables EtM for ssh" should be followed. + has not been reviewed and addressed, Recommendation "Ensure system wide crypto policy disables EtM for ssh" should be followed. -Create or edit a file in /etc/crypto-policies/policies/modules/ - ending in .pmod - and add or modify the the following line: + Create or edit a file in /etc/crypto-policies/policies/modules/ + ending in .pmod + and add or modify the the following line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* - + Example: # printf '%s\n' "# This is a subpolicy to disable weak MACs" "# for the SSH protocol (libssh and OpenSSH)" "mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*" >> /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod - + Run the following command to update the system-wide cryptographic policy # update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3> - + Example: # update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20:NO-SSHETM:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS - + Run the following command to reload the openSSH server to make your cryptographic settings effective: # systemctl reload-or-restart sshd - + - OR - - If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended -) + If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended + ) -Edit the /etc/ssh/sshd_config - file and add/modify the MACs - line to contain a comma separated list of the site unapproved (weak) MACs preceded with a - - above any Include - entries: + Edit the /etc/ssh/sshd_config + file and add/modify the MACs + line to contain a comma separated list of the site unapproved (weak) MACs preceded with a - + above any Include + entries: Example: MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com - + - IF - CVE-2023-48795 - has not been reviewed and addressed, the following etm - MACs should be added to the exclude list: hmac-sha1-etm@openssh.com -, hmac-sha2-256-etm@openssh.com -, hmac-sha2-512-etm@openssh.com + has not been reviewed and addressed, the following etm + MACs should be added to the exclude list: hmac-sha1-etm@openssh.com + , hmac-sha2-256-etm@openssh.com + , hmac-sha2-512-etm@openssh.com @@ -17110,42 +17110,42 @@ Edit the /etc/ssh/sshd_config AllowUsers -: - + : + -The AllowUsers - variable gives the system administrator the option of allowing specific users to ssh - into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. + The AllowUsers + variable gives the system administrator the option of allowing specific users to ssh + into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups -: - + : + -The AllowGroups - variable gives the system administrator the option of allowing specific groups of users to ssh - into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. + The AllowGroups + variable gives the system administrator the option of allowing specific groups of users to ssh + into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. DenyUsers -: - + : + -The DenyUsers - variable gives the system administrator the option of denying specific users to ssh - into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. + The DenyUsers + variable gives the system administrator the option of denying specific users to ssh + into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. DenyGroups -: - + : + -The DenyGroups - variable gives the system administrator the option of denying specific groups of users to ssh - into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. + The DenyGroups + variable gives the system administrator the option of denying specific groups of users to ssh + into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. @@ -17180,30 +17180,30 @@ The DenyGroups -Edit the /etc/ssh/sshd_config - file to set one or more of the parameters above any Include - and Match - set statements as follows: + Edit the /etc/ssh/sshd_config + file to set one or more of the parameters above any Include + and Match + set statements as follows: -AllowUsers <userlist>
- - AND/OR -
-AllowGroups <grouplist> - + AllowUsers <userlist>
+ - AND/OR -
+ AllowGroups <grouplist> + Note: -First occurrence of a option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a .conf - file in a Include - directory. + First occurrence of a option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a .conf + file in a Include + directory. Be advised - that these options are "ANDed" together. If both AllowUsers - and AllowGroups - are set, connections will be limited to the list of users that are also a member of an allowed group. It is recommended that only one be set for clarity and ease of administration. + that these options are "ANDed" together. If both AllowUsers + and AllowGroups + are set, connections will be limited to the list of users that are also a member of an allowed group. It is recommended that only one be set for clarity and ease of administration. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user or group and forget to add it to the deny list. @@ -17224,8 +17224,8 @@ First occurrence of a option takes precedence, Ensure sshd Banner is configured -The Banner - parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. + The Banner + parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system. @@ -17237,29 +17237,29 @@ The Banner -Edit the /etc/ssh/sshd_config - file to set the Banner - parameter above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the Banner + parameter above any Include + and Match + entries as follows: Banner /etc/issue.net - + Note: - First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. -Edit the file being called by the Banner - argument with the appropriate contents according to your site policy, remove any instances of \m - , \r - , \s - , \v - or references to the OS platform + Edit the file being called by the Banner + argument with the appropriate contents according to your site policy, remove any instances of \m + , \r + , \s + , \v + or references to the OS platform Example: # printf '%s\n' "Authorized users only. All activity may be monitored and reported." > "$(sshd -T | awk '$1 == "banner" {print $2}')" - + @@ -17289,25 +17289,25 @@ Edit the file being called by the Note: - To clarify, the two settings described below are only meant for idle connections from a protocol perspective and are not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not and never had, intentionally, the capability to drop idle users. In SSH versions before 8.2p1 - there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 - and thus it can no longer be abused disconnect idle users. + To clarify, the two settings described below are only meant for idle connections from a protocol perspective and are not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not and never had, intentionally, the capability to drop idle users. In SSH versions before 8.2p1 + there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 + and thus it can no longer be abused disconnect idle users. -The two options ClientAliveInterval - and ClientAliveCountMax - control the timeout of SSH sessions. Taken directly from man 5 sshd_config -: + The two options ClientAliveInterval + and ClientAliveCountMax + control the timeout of SSH sessions. Taken directly from man 5 sshd_config + : ClientAliveInterval - Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. + Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. ClientAliveCountMax - Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option en‐abled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. -The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination. + Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option en‐abled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. + The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination. @@ -17323,10 +17323,10 @@ The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCoun -In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval - and ClientAliveCountMax -. Specifically, looking at the source code, ClientAliveCountMax - must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. + In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval + and ClientAliveCountMax + . Specifically, looking at the source code, ClientAliveCountMax + must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate. SSHD_CONFIG(5) @@ -17336,22 +17336,22 @@ In order to prevent resource exhaustion, appropriate values should be set for bo -Edit the /etc/ssh/sshd_config - file to set the ClientAliveInterval - and ClientAliveCountMax - parameters above any Include - and Match - entries according to site policy. + Edit the /etc/ssh/sshd_config + file to set the ClientAliveInterval + and ClientAliveCountMax + parameters above any Include + and Match + entries according to site policy. Example: -ClientAliveInterval 15
-ClientAliveCountMax 3 - + ClientAliveInterval 15
+ ClientAliveCountMax 3 + Note: - First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. @@ -17397,8 +17397,8 @@ ClientAliveCountMax 3 Ensure sshd DisableForwarding is enabled -The DisableForwarding - parameter disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related options and may simplify restricted configurations. + The DisableForwarding + parameter disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related options and may simplify restricted configurations. X11Forwarding provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. ssh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh. @@ -17437,16 +17437,16 @@ The DisableForwarding -Edit the /etc/ssh/sshd_config - file to set the DisableForwarding - parameter to yes - above any Include - entry as follows: + Edit the /etc/ssh/sshd_config + file to set the DisableForwarding + parameter to yes + above any Include + entry as follows: DisableForwarding yes - + Note: - First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. Impact: SSH tunnels are widely used in many corporate environments. In some environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications. @@ -17469,8 +17469,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd GSSAPIAuthentication is disabled -The GSSAPIAuthentication - parameter specifies whether user authentication based on GSSAPI is allowed + The GSSAPIAuthentication + parameter specifies whether user authentication based on GSSAPI is allowed @@ -17502,20 +17502,20 @@ The GSSAPIAuthentication -Edit the /etc/ssh/sshd_config - file to set the GSSAPIAuthentication - parameter to no - above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the GSSAPIAuthentication + parameter to no + above any Include + and Match + entries as follows: GSSAPIAuthentication no - + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17544,17 +17544,17 @@ Edit the /etc/ssh/sshd_configEnsure sshd HostbasedAuthentication is disabled -The HostbasedAuthentication - parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts -, or /etc/hosts.equiv -, along with successful public key client host authentication. + The HostbasedAuthentication + parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts + , or /etc/hosts.equiv + , along with successful public key client host authentication. -Even though the .rhosts - files are ineffective if support is disabled in /etc/pam.conf -, disabling the ability to use .rhosts - files in SSH provides an additional layer of protection. + Even though the .rhosts + files are ineffective if support is disabled in /etc/pam.conf + , disabling the ability to use .rhosts + files in SSH provides an additional layer of protection. SSHD_CONFIG(5) SSHD(8) @@ -17563,20 +17563,20 @@ Even though the .rhosts -Edit the /etc/ssh/sshd_config - file to set the HostbasedAuthentication - parameter to no - above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the HostbasedAuthentication + parameter to no + above any Include + and Match + entries as follows: HostbasedAuthentication no - + Note: - First occurrence of a option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of a option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17605,12 +17605,12 @@ Edit the /etc/ssh/sshd_configEnsure sshd IgnoreRhosts is enabled -The IgnoreRhosts - parameter specifies that .rhosts - and .shosts - files will not be used in RhostsRSAAuthentication - or HostbasedAuthentication -. + The IgnoreRhosts + parameter specifies that .rhosts + and .shosts + files will not be used in RhostsRSAAuthentication + or HostbasedAuthentication + . @@ -17642,20 +17642,20 @@ The IgnoreRhosts -Edit the /etc/ssh/sshd_config - file to set the IgnoreRhosts - parameter to yes - above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the IgnoreRhosts + parameter to yes + above any Include + and Match + entries as follows: IgnoreRhosts yes - + Note: - First occurrence of a option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of a option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17684,13 +17684,13 @@ Edit the /etc/ssh/sshd_configEnsure sshd LoginGraceTime is configured -The LoginGraceTime - parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access. + The LoginGraceTime + parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access. -Setting the LoginGraceTime - parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. + Setting the LoginGraceTime + parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. SSHD_CONFIG(5) NIST SP 800-53 Rev. 5: CM-6 @@ -17699,16 +17699,16 @@ Setting the LoginGraceTime -Edit the /etc/ssh/sshd_config - file to set the LoginGraceTime - parameter to 60 - seconds or less above any Include - entry as follows: + Edit the /etc/ssh/sshd_config + file to set the LoginGraceTime + parameter to 60 + seconds or less above any Include + entry as follows: LoginGraceTime 60 - + Note: - First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. @@ -17727,8 +17727,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd LogLevel is configured -SSH provides several logging levels with varying amounts of verbosity. The DEBUG - options are specifically not recommended other than strictly for debugging SSH communications. These levels provide so much data that it is difficult to identify important security information, and may violate the privacy of users. + SSH provides several logging levels with varying amounts of verbosity. The DEBUG + options are specifically not recommended other than strictly for debugging SSH communications. These levels provide so much data that it is difficult to identify important security information, and may violate the privacy of users. @@ -17755,11 +17755,11 @@ SSH provides several logging levels with varying amounts of verbosity. The -The INFO - level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. + The INFO + level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. -The VERBOSE - level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments. + The VERBOSE + level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments. @@ -17770,24 +17770,24 @@ The VERBOSE -Edit the /etc/ssh/sshd_config - file to set the LogLevel - parameter to VERBOSE - or INFO - above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the LogLevel + parameter to VERBOSE + or INFO + above any Include + and Match + entries as follows: -LogLevel VERBOSE
- - OR -
-LogLevel INFO - + LogLevel VERBOSE
+ - OR -
+ LogLevel INFO + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17816,9 +17816,9 @@ LogLevel INFO Ensure sshd MaxAuthTries is configured -The MaxAuthTries - parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog - file detailing the login failure. + The MaxAuthTries + parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog + file detailing the login failure. @@ -17840,8 +17840,8 @@ The MaxAuthTries -Setting the MaxAuthTries - parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. + Setting the MaxAuthTries + parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. @@ -17851,20 +17851,20 @@ Setting the MaxAuthTries -Edit the /etc/ssh/sshd_config - file to set the MaxAuthTries - parameter to 4 - or less above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the MaxAuthTries + parameter to 4 + or less above any Include + and Match + entries as follows: MaxAuthTries 4 - + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17893,8 +17893,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd MaxStartups is configured -The MaxStartups - parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. + The MaxStartups + parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. @@ -17905,16 +17905,16 @@ The MaxStartups -Edit the /etc/ssh/sshd_config - file to set the MaxStartups - parameter to 10:30:60 - or more restrictive above any Include - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the MaxStartups + parameter to 10:30:60 + or more restrictive above any Include + entries as follows: MaxStartups 10:30:60 - + Note: - First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. @@ -17933,8 +17933,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd MaxSessions is configured -The MaxSessions - parameter specifies the maximum number of open sessions permitted from a given connection. + The MaxSessions + parameter specifies the maximum number of open sessions permitted from a given connection. To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. @@ -17945,20 +17945,20 @@ The MaxSessions -Edit the /etc/ssh/sshd_config - file to set the MaxSessions - parameter to 10 - or less above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the MaxSessions + parameter to 10 + or less above any Include + and Match + entries as follows: MaxSessions 10 - + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -17987,8 +17987,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd PermitEmptyPasswords is disabled -The PermitEmptyPasswords - parameter specifies if the SSH server allows login to accounts with empty password strings. + The PermitEmptyPasswords + parameter specifies if the SSH server allows login to accounts with empty password strings. @@ -18019,20 +18019,20 @@ The PermitEmptyPasswords -Edit /etc/ssh/sshd_config - and set the PermitEmptyPasswords - parameter to no - above any Include - and Match - entries as follows: + Edit /etc/ssh/sshd_config + and set the PermitEmptyPasswords + parameter to no + above any Include + and Match + entries as follows: PermitEmptyPasswords no - + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -18061,9 +18061,9 @@ Edit /etc/ssh/sshd_configEnsure sshd PermitRootLogin is disabled -The PermitRootLogin - parameter specifies if the root user can log in using SSH. The default is prohibit-password -. + The PermitRootLogin + parameter specifies if the root user can log in using SSH. The default is prohibit-password + . @@ -18085,9 +18085,9 @@ The PermitRootLogin -Disallowing root - logins over SSH requires system admins to authenticate using their own individual account, then escalating to root -. This limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. + Disallowing root + logins over SSH requires system admins to authenticate using their own individual account, then escalating to root + . This limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. @@ -18097,20 +18097,20 @@ Disallowing root -Edit the /etc/ssh/sshd_config - file to set the PermitRootLogin - parameter to no - above any Include - and Match - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the PermitRootLogin + parameter to no + above any Include + and Match + entries as follows: PermitRootLogin no - + Note: - First occurrence of an option takes precedence, Match - set statements withstanding. If Include - locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include - location. + First occurrence of an option takes precedence, Match + set statements withstanding. If Include + locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include + location. @@ -18139,8 +18139,8 @@ Edit the /etc/ssh/sshd_configEnsure sshd PermitUserEnvironment is disabled -The PermitUserEnvironment - option allows users to present environment options to the SSH daemon. + The PermitUserEnvironment + option allows users to present environment options to the SSH daemon. Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has SSH executing trojan'd programs) @@ -18152,16 +18152,16 @@ The PermitUserEnvironment -Edit the /etc/ssh/sshd_config - file to set the PermitUserEnvironment - parameter to no - above any Include - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the PermitUserEnvironment + parameter to no + above any Include + entries as follows: PermitUserEnvironment no - + Note: - First occurrence of an option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of an option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. @@ -18180,11 +18180,11 @@ Edit the /etc/ssh/sshd_configEnsure sshd UsePAM is enabled -The UsePAM - directive enables the Pluggable Authentication Module (PAM) interface. If set to yes - this will enable PAM authentication using ChallengeResponseAuthentication - and PasswordAuthentication - directives in addition to PAM account and session module processing for all authentication types. + The UsePAM + directive enables the Pluggable Authentication Module (PAM) interface. If set to yes + this will enable PAM authentication using ChallengeResponseAuthentication + and PasswordAuthentication + directives in addition to PAM account and session module processing for all authentication types. @@ -18206,9 +18206,9 @@ The UsePAM -When usePAM - is set to yes -, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server + When usePAM + is set to yes + , PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server @@ -18219,16 +18219,16 @@ When usePAM -Edit the /etc/ssh/sshd_config - file to set the UsePAM - parameter to yes - above any Include - entries as follows: + Edit the /etc/ssh/sshd_config + file to set the UsePAM + parameter to yes + above any Include + entries as follows: UsePAM yes - + Note: - First occurrence of an option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. + First occurrence of an option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. @@ -18257,11 +18257,11 @@ Edit the /etc/ssh/sshd_configThe invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. sudo - supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo - front end. The default security policy is sudoers -, which is configured via the file /etc/sudoers - and any entries in /etc/sudoers.d -. + supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo + front end. The default security policy is sudoers + , which is configured via the file /etc/sudoers + and any entries in /etc/sudoers.d + . pkexec @@ -18274,7 +18274,7 @@ Edit the /etc/ssh/sshd_config sudo - allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. + allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. @@ -18297,15 +18297,15 @@ Edit the /etc/ssh/sshd_config sudo - supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo - front end. The default security policy is sudoers -, which is configured via the file /etc/sudoers - and any entries in /etc/sudoers.d -. + supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo + front end. The default security policy is sudoers + , which is configured via the file /etc/sudoers + and any entries in /etc/sudoers.d + . -The security policy determines what privileges, if any, a user has to run sudo -. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo - will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific. + The security policy determines what privileges, if any, a user has to run sudo + . The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo + will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific. @@ -18316,7 +18316,7 @@ The security policy determines what privileges, if any, a user has to run Run the following command to install sudo # dnf install sudo - + @@ -18331,8 +18331,8 @@ The security policy determines what privileges, if any, a user has to run sudo - can be configured to run only from a pseudo terminal ( pseudo-pty -). + can be configured to run only from a pseudo terminal ( pseudo-pty + ). @@ -18354,8 +18354,8 @@ The security policy determines what privileges, if any, a user has to run -Attackers can run a malicious program using sudo - which would fork a background process that remains even when the main program has finished executing. + Attackers can run a malicious program using sudo + which would fork a background process that remains even when the main program has finished executing. @@ -18367,48 +18367,48 @@ Attackers can run a malicious program using /etc/sudoers - with visudo - or a file in /etc/sudoers.d/ - with visudo -f <PATH TO FILE> - and add the following line: + Edit the file /etc/sudoers + with visudo + or a file in /etc/sudoers.d/ + with visudo -f <PATH TO FILE> + and add the following line: Defaults use_pty - + -Edit the file /etc/sudoers - with visudo - and any files in /etc/sudoers.d/ - with visudo -f <PATH TO FILE> - and remove any occurrence of !use_pty + Edit the file /etc/sudoers + with visudo + and any files in /etc/sudoers.d/ + with visudo -f <PATH TO FILE> + and remove any occurrence of !use_pty Note: -sudo will read each file in /etc/sudoers.d -, skipping file names that end in ~ - or contain a . - character to avoid causing problems with package manager or editor temporary/backup files. + sudo will read each file in /etc/sudoers.d + , skipping file names that end in ~ + or contain a . + character to avoid causing problems with package manager or editor temporary/backup files. -Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first - will be parsed before /etc/sudoers.d/10_second -. + Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first + will be parsed before /etc/sudoers.d/10_second + . -Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops - would be loaded after /etc/sudoers.d/10_second -. + Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops + would be loaded after /etc/sudoers.d/10_second + . Using a consistent number of leading zeroes in the file names can be used to avoid such problems. Impact: WARNING: - Editing the sudo - configuration incorrectly can cause sudo - to stop functioning. Always use visudo - to modify sudo - configuration files. + Editing the sudo + configuration incorrectly can cause sudo + to stop functioning. Always use visudo + to modify sudo + configuration files. @@ -18436,8 +18436,8 @@ Be aware that because the sorting is lexical, not numeric, Ensure sudo log file exists -The Defaults logfile - entry sets the path to the sudo log file. Setting a path turns on logging to a file; negating this option turns it off. By default, sudo logs via syslog. + The Defaults logfile + entry sets the path to the sudo log file. Setting a path turns on logging to a file; negating this option turns it off. By default, sudo logs via syslog. @@ -18473,48 +18473,48 @@ The Defaults logfile -Edit the file /etc/sudoers - or a file in /etc/sudoers.d/ - with visudo -f <PATH TO FILE> - and add the following line: + Edit the file /etc/sudoers + or a file in /etc/sudoers.d/ + with visudo -f <PATH TO FILE> + and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" - + Example Defaults logfile="/var/log/sudo.log" - + Notes: -sudo will read each file in /etc/sudoers.d -, skipping file names that end in ~ - or contain a . - character to avoid causing problems with package manager or editor temporary/backup files. + sudo will read each file in /etc/sudoers.d + , skipping file names that end in ~ + or contain a . + character to avoid causing problems with package manager or editor temporary/backup files. -Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first - will be parsed before /etc/sudoers.d/10_second -. + Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first + will be parsed before /etc/sudoers.d/10_second + . -Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops - would be loaded after /etc/sudoers.d/10_second -. + Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops + would be loaded after /etc/sudoers.d/10_second + . Using a consistent number of leading zeroes in the file names can be used to avoid such problems. Impact: WARNING: - Editing the sudo - configuration incorrectly can cause sudo - to stop functioning. Always use visudo - to modify sudo - configuration files. + Editing the sudo + configuration incorrectly can cause sudo + to stop functioning. Always use visudo + to modify sudo + configuration files. -Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate - to manage the sudo log in accordance with your local policy. + Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate + to manage the sudo log in accordance with your local policy. @@ -18562,11 +18562,11 @@ Creation of additional log files can cause disk space exhaustion if not correctl -Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> - to edit the relevant sudoers file. + Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> + to edit the relevant sudoers file. -Remove any line with occurrences of NOPASSWD - tags in the file. + Remove any line with occurrences of NOPASSWD + tags in the file. Impact: This will prevent automated processes from being able to elevate privileges. @@ -18618,11 +18618,11 @@ Remove any line with occurrences of visudo -f <PATH TO FILE> - to edit the relevant sudoers file. + Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> + to edit the relevant sudoers file. -Remove any occurrences of !authenticate - tags in the file(s). + Remove any occurrences of !authenticate + tags in the file(s). @@ -18640,7 +18640,7 @@ Remove any occurrences of !auth sudo - caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. + caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. @@ -18670,16 +18670,16 @@ Remove any occurrences of !auth -If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> - and modify the entry timestamp_timeout= - to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset -. See the following two examples: + If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> + and modify the entry timestamp_timeout= + to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset + . See the following two examples: Defaults env_reset, timestamp_timeout=15 - + -Defaults timestamp_timeout=15
-Defaults env_reset - + Defaults timestamp_timeout=15
+ Defaults env_reset + @@ -18696,15 +18696,15 @@ Defaults env_reset Ensure access to the su command is restricted -The su - command allows a user to run a command or shell as another user. The program has been superseded by sudo -, which allows for more granular control over privileged access. Normally, the su - command can be executed by any user. By uncommenting the pam_wheel.so - statement in /etc/pam.d/su -, the su - command will only allow users in a specific groups to execute su -. This group should be empty to reinforce the use of sudo - for privileged access. + The su + command allows a user to run a command or shell as another user. The program has been superseded by sudo + , which allows for more granular control over privileged access. Normally, the su + command can be executed by any user. By uncommenting the pam_wheel.so + statement in /etc/pam.d/su + , the su + command will only allow users in a specific groups to execute su + . This group should be empty to reinforce the use of sudo + for privileged access. @@ -18726,12 +18726,12 @@ The su -Restricting the use of su - , and using sudo - in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo - , whereas su - can only record that a user executed the su - program. + Restricting the use of su + , and using sudo + in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo + , whereas su + can only record that a user executed the su + program. @@ -18740,18 +18740,18 @@ Restricting the use of su -Create an empty group that will be specified for use of the su - command. The group should be named according to site policy. + Create an empty group that will be specified for use of the su + command. The group should be named according to site policy. Example: # groupadd sugroup - + -Add the following line to the /etc/pam.d/su - file, specifying the empty group: + Add the following line to the /etc/pam.d/su + file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup - + @@ -18766,8 +18766,8 @@ Add the following line to the / Pluggable Authentication Modules -Pluggable Authentication Modules (PAM) is a service that implements modular authentication modules on UNIX systems. PAM is implemented as a set of shared objects that are loaded and executed when a program needs to authenticate a user. Files for PAM are typically located in the /etc/pam.d - directory. PAM must be carefully configured to secure system authentication. While this section covers some of PAM, please consult other PAM resources to fully understand the configuration capabilities. + Pluggable Authentication Modules (PAM) is a service that implements modular authentication modules on UNIX systems. PAM is implemented as a set of shared objects that are loaded and executed when a program needs to authenticate a user. Files for PAM are typically located in the /etc/pam.d + directory. PAM must be carefully configured to secure system authentication. While this section covers some of PAM, please consult other PAM resources to fully understand the configuration capabilities. Configure PAM software packages @@ -18787,14 +18787,14 @@ Pluggable Authentication Modules (PAM) is a service that implements modular auth - IF - - the version of PAM - on the system is less that version pam-1.5.1-19 -: + the version of PAM + on the system is less that version pam-1.5.1-19 + : -Run the following command to update to the latest version of PAM -: + Run the following command to update to the latest version of PAM + : # dnf upgrade pam - + @@ -18812,8 +18812,8 @@ Run the following command to update to the latest version of < Authselect is a utility that simplifies the configuration of user authentication. Authselect offers ready-made profiles that can be universally used with all modern identity management systems You can create and deploy a custom profile by customizing one of the default profiles, the sssd, winbind, or the nis profile. This is particularly useful if Modifying a ready-made authselect profile is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host. This would be the recommended method, so that the existing profiles can remain unmodified. -Updated versions of authselect - include additional functionality + Updated versions of authselect + include additional functionality Authselect makes testing and troubleshooting easy because it only modifies files in these directories: @@ -18829,32 +18829,32 @@ Updated versions of authselect -To ensure the system has full functionality and access to the options covered by this Benchmark, authselect-1.2.6-2 - or latter is required + To ensure the system has full functionality and access to the options covered by this Benchmark, authselect-1.2.6-2 + or latter is required -Run the following command to install authselect -: + Run the following command to install authselect + : # dnf install authselect - + - IF - - the version of authselect - on the system is less that version authselect-1.2.6-2 -: + the version of authselect + on the system is less that version authselect-1.2.6-2 + : -Run the following command to update to the latest version of authselect -: + Run the following command to update to the latest version of authselect + : # dnf upgrade authselect - + Impact: -If local site customizations have been made to an authselect default or custom profile created with the --symlink-pam - option, these customizations may be over-written by updating authselect. + If local site customizations have been made to an authselect default or custom profile created with the --symlink-pam + option, these customizations may be over-written by updating authselect. WARNING: @@ -18864,8 +18864,8 @@ If local site customizations have been made to an authselect default or custom p Your host is part of Active Directory via SSSD. Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host. -It is not - recommended to change the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary + It is not + recommended to change the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary @@ -18883,10 +18883,10 @@ It is not libpwquality - provides common functions for password quality checking and scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability. + provides common functions for password quality checking and scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability. -This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords. The code was originally based on pam_cracklib - module and the module is backwards compatible with its options. + This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords. The code was originally based on pam_cracklib + module and the module is backwards compatible with its options. Strong passwords reduce the risk of systems being hacked through brute force methods. @@ -18895,20 +18895,20 @@ This module can be plugged into the password stack of a given service to provide -Run the following command to install libpwquality -: + Run the following command to install libpwquality + : # dnf install libpwquality - + - IF - - the version of libpwquality - on the system is less that version libpwquality-1.4.4-8 -: + the version of libpwquality + on the system is less that version libpwquality-1.4.4-8 + : -Run the following command to update to the latest version of libpwquality -: + Run the following command to update to the latest version of libpwquality + : # dnf upgrade libpwquality - + @@ -18942,73 +18942,73 @@ Run the following command to update to the latest version of < /usr/share/authselect/default - - Read-only directory containing profiles shipped together with authselect. + - Read-only directory containing profiles shipped together with authselect. /usr/share/authselect/vendor - - Read-only directory for vendor-specific profiles that can override the ones in default directory. + - Read-only directory for vendor-specific profiles that can override the ones in default directory. /etc/authselect/custom - - Place for administrator-defined profiles. + - Place for administrator-defined profiles. Profile Files - Each profile consists of one or more of these files which provide a mandatory profile description and describe the changes that are done to the system: README - - Description of the profile. The first line must be a name of the profile. + - Description of the profile. The first line must be a name of the profile. system-auth - - PAM stack that is included from nearly all individual service configuration files. + - PAM stack that is included from nearly all individual service configuration files. password-auth -, smartcard-auth -, fingerprint-auth - - These PAM stacks are for applications which handle authentication from different types of devices via simultaneously running individual conversations instead of one aggregate conversation. + , smartcard-auth + , fingerprint-auth + - These PAM stacks are for applications which handle authentication from different types of devices via simultaneously running individual conversations instead of one aggregate conversation. postlogin - - The purpose of this PAM stack is to provide a common place for all PAM modules which should be called after the stack configured in system-auth - or the other common PAM configuration files. It is included from all individual service configuration files that provide login service with shell or file access. Note: - the modules in the postlogin configuration file are executed regardless of the success or failure of the modules in the system-auth - configuration file. + - The purpose of this PAM stack is to provide a common place for all PAM modules which should be called after the stack configured in system-auth + or the other common PAM configuration files. It is included from all individual service configuration files that provide login service with shell or file access. Note: + the modules in the postlogin configuration file are executed regardless of the success or failure of the modules in the system-auth + configuration file. nsswitch.conf - - Name Service Switch configuration file. Only maps relevant to the profile must be set. Maps that are not specified by the profile are included from /etc/authselect/user-nsswitch.conf -. + - Name Service Switch configuration file. Only maps relevant to the profile must be set. Maps that are not specified by the profile are included from /etc/authselect/user-nsswitch.conf + . dconf-db - - Changes to dconf database. The main uses case of this file is to set changes for gnome login screen in order to enable or disable smartcard and fingerprint authentication. + - Changes to dconf database. The main uses case of this file is to set changes for gnome login screen in order to enable or disable smartcard and fingerprint authentication. dconf-locks - - This file define locks on values set in dconf database. + - This file define locks on values set in dconf database. Conditional lines - Each of these files serves as a template. A template is a plain text file with optional usage of several operators that can be used to provide some optional profile features. {continue if "feature"} - - Immediately stop processing of the file unless "feature" is defined (the rest of the file content will be removed). If "feature" is defined, the whole line with this operator will be removed and the rest of the template will be processed. + - Immediately stop processing of the file unless "feature" is defined (the rest of the file content will be removed). If "feature" is defined, the whole line with this operator will be removed and the rest of the template will be processed. {stop if "feature"} - - Opposite of "continue if". Immediately stop processing of the file if "feature" is defined (the rest of the file content will be removed). If "feature" is not defined, the whole line with this operator will be removed and the rest of the template will be processed. + - Opposite of "continue if". Immediately stop processing of the file if "feature" is defined (the rest of the file content will be removed). If "feature" is not defined, the whole line with this operator will be removed and the rest of the template will be processed. {include if "feature"} - - Include the line where this operator is placed only if "feature" is defined. + - Include the line where this operator is placed only if "feature" is defined. {exclude if "feature"} - - Opposite to "include-if". Include the line where this operator is placed only if "feature" is not defined. + - Opposite to "include-if". Include the line where this operator is placed only if "feature" is not defined. {imply "implied-feature" if "feature"} - - Enable feature "implied-feature" if feature "feature" is enabled. The whole line with this operator is removed, thus it is not possible to add anything else around this operator at the same line. + - Enable feature "implied-feature" if feature "feature" is enabled. The whole line with this operator is removed, thus it is not possible to add anything else around this operator at the same line. {if "feature":true|false} - - If "feature" is defined, replace this operator with string "true", otherwise with string "false". + - If "feature" is defined, replace this operator with string "true", otherwise with string "false". {if "feature":true} - - If "feature" is defined, replace this operator with string "true", otherwise with an empty string. + - If "feature" is defined, replace this operator with string "true", otherwise with an empty string. Example of creating a custom authselect profile called custom-profile # authselect create-profile custom-profile -b sssd - + WARNING: @@ -19044,9 +19044,9 @@ Run the following command to update to the latest version of < -with the option --base-on=BASE-ID - or -b=BASE-ID - the new profile will be based on a profile named BASE-ID. + with the option --base-on=BASE-ID + or -b=BASE-ID + the new profile will be based on a profile named BASE-ID. The base profile location is determined with these steps: If BASE-ID starts with prefix custom/ it is a custom profile. @@ -19055,15 +19055,15 @@ with the option --base-on=BASE- Return an error. -The authselect option --force - or -f - will cause authselect to write changes even if the previous configuration was not created by authselect but by other tool or by manual changes. This option will automatically backup system files before writing any change unless the --nobackup - option is set. + The authselect option --force + or -f + will cause authselect to write changes even if the previous configuration was not created by authselect but by other tool or by manual changes. This option will automatically backup system files before writing any change unless the --nobackup + option is set. Example: authselect select custom/custom-profile with-pwhistory with-faillock without-nullok --backup=PAM_CONFIG_BACKUP --force - + @@ -19082,85 +19082,85 @@ The authselect option --forcePerform the following to create a custom authselect profile, with the modules covered in this Benchmark correctly included in the custom profile template files Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> - + Example: # authselect create-profile custom-profile -b sssd - + Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} {--force} - + Example: # authselect select custom/custom-profile --backup=PAM_CONFIG_BACKUP --force - + Notes: -The PAM and authselect packages must be versions pam-1.3.1-25 - and authselect-1.2.6-1 - or newer + The PAM and authselect packages must be versions pam-1.3.1-25 + and authselect-1.2.6-1 + or newer -The example is based on a custom profile built (copied) from the the SSSD - default authselect profile. + The example is based on a custom profile built (copied) from the the SSSD + default authselect profile. -The example does not include the symlink - option for the PAM - or Metadata - files. This is due to the fact that by linking the PAM - files future updates to authselect - may overwrite local site customizations to the custom profile + The example does not include the symlink + option for the PAM + or Metadata + files. This is due to the fact that by linking the PAM + files future updates to authselect + may overwrite local site customizations to the custom profile -The --backup=PAM_CONFIG_BACKUP - option will create a backup of the current config. The backup will be stored at /var/lib/authselect/backups/PAM_CONFIG_BACKUP + The --backup=PAM_CONFIG_BACKUP + option will create a backup of the current config. The backup will be stored at /var/lib/authselect/backups/PAM_CONFIG_BACKUP -The --force - option will force the overwrite of the existing files and automatically backup system files before writing any change unless the --nobackup - option is set. - + The --force + option will force the overwrite of the existing files and automatically backup system files before writing any change unless the --nobackup + option is set. + -On a new system where authselect has not been configured. In this case, the --force - option will force the selected authselect profile to be active and overwrite the existing files with files generated from the selected authselect profile's templates + On a new system where authselect has not been configured. In this case, the --force + option will force the selected authselect profile to be active and overwrite the existing files with files generated from the selected authselect profile's templates -On an existing system with a custom configuration. The --force - option may be used, but ensure that you note the backup location included as your custom files will be overwritten. - This will allow you to review the changes and add any necessary customizations to the template files for the authselect profile. After updating the templates, run the command authselect apply-changes - to add these custom entries to the files in /etc/pam.d/ + On an existing system with a custom configuration. The --force + option may be used, but ensure that you note the backup location included as your custom files will be overwritten. + This will allow you to review the changes and add any necessary customizations to the template files for the authselect profile. After updating the templates, run the command authselect apply-changes + to add these custom entries to the files in /etc/pam.d/ - IF - - you receive an error ending with a message similar to: + you receive an error ending with a message similar to: -[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
-Some unexpected changes to the configuration were detected. Use 'select' command instead. - + [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
+ Some unexpected changes to the configuration were detected. Use 'select' command instead. + -This error is caused when the previous configuration was not created by authselect but by other tool or by manual changes and the --force - option will be required to enable the authselect profile. + This error is caused when the previous configuration was not created by authselect but by other tool or by manual changes and the --force + option will be required to enable the authselect profile. Impact: -If local site customizations have been made to the authselect template or files in /etc/pam.d - these custom entries should be added to the newly created custom profile before it's applied to the system. + If local site customizations have been made to the authselect template or files in /etc/pam.d + these custom entries should be added to the newly created custom profile before it's applied to the system. Note: - The order within the pam stacks is important when adding these entries. Specifically for the password stack, the use_authtok - option is important, and should appear on all modules except for the first entry. + The order within the pam stacks is important when adding these entries. Specifically for the password stack, the use_authtok + option is important, and should appear on all modules except for the first entry. Example: -password requisite pam_pwquality.so local_users_only #<-- Top of password stack, doesn't include use_authtok
-password required pam_pwhistory.so use_authtok #<-- subsequent entry in password stack, includes use_authtok - + password requisite pam_pwquality.so local_users_only #<-- Top of password stack, doesn't include use_authtok
+ password required pam_pwhistory.so use_authtok #<-- subsequent entry in password stack, includes use_authtok + @@ -19176,9 +19176,9 @@ password required pam_pwhistory.so use_authtok #<-- subsequent entry in Ensure pam_faillock module is enabled -The pam_faillock.so - module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny - parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory. + The pam_faillock.so + module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny + parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory. @@ -19210,60 +19210,60 @@ The pam_faillock.so -Run the following script to verify the pam_faillock.so - lines exist in the profile templates: + Run the following script to verify the pam_faillock.so + lines exist in the profile templates: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_module_name="faillock"
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_module_name="faillock"
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
+ } + Example Output with a custom profile named "custom-profile": -/etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
-/etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
-/etc/authselect/custom/custom-profile/password-auth:account required pam_faillock.so {include if "with-faillock"}
+ /etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
+ /etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
+ /etc/authselect/custom/custom-profile/password-auth:account required pam_faillock.so {include if "with-faillock"}

-/etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
-/etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
-/etc/authselect/custom/custom-profile/system-auth:account required pam_faillock.so {include if "with-faillock"} - + /etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
+ /etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
+ /etc/authselect/custom/custom-profile/system-auth:account required pam_faillock.so {include if "with-faillock"} + Note: - The lines may not include {include if "with-faillock"} + The lines may not include {include if "with-faillock"} - IF - - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_faillock - entries before continuing this remediation. + the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_faillock + entries before continuing this remediation. - IF - - the lines include {include if "with-faillock"} -, run the following command to enable the authselect with-faillock - feature and update the files in /etc/pam.d - to include pam_faillock.so -: + the lines include {include if "with-faillock"} + , run the following command to enable the authselect with-faillock + feature and update the files in /etc/pam.d + to include pam_faillock.so + : # authselect enable-feature with-faillock - + - IF - - any of the pam_faillock - lines exist without {include if "with-faillock"} -, run the following command to update the files in /etc/pam.d - to include pam_faillock.so -: + any of the pam_faillock + lines exist without {include if "with-faillock"} + , run the following command to update the files in /etc/pam.d + to include pam_faillock.so + : # authselect apply-changes - + @@ -19300,8 +19300,8 @@ Run the following script to verify the Ensure pam_pwquality module is enabled -The pam_pwquality.so - module performs password quality checking. This module can be plugged into the password stack of a given service to provide strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options. + The pam_pwquality.so + module performs password quality checking. This module can be plugged into the password stack of a given service to provide strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options. The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices. The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token. @@ -19334,56 +19334,56 @@ The pam_pwquality.so Review the authselect profile templates: -Run the following script to verify the pam_pwquality.so - lines exist in the active profile templates: + Run the following script to verify the pam_pwquality.so + lines exist in the active profile templates: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_module_name="pwquality"
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_module_name="pwquality"
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
+ } + Example Output with a custom profile named "custom-profile": -/etc/authselect/custom/custom-profile/password-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"}
+ /etc/authselect/custom/custom-profile/password-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"}

-/etc/authselect/custom/custom-profile/system-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"} - + /etc/authselect/custom/custom-profile/system-auth:password requisite pam_pwquality.so local_users_only {include if "with-pwquality"} + Note: - The lines may not include {include if "with-pwquality"} + The lines may not include {include if "with-pwquality"} - IF - - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_pwquality - entries before continuing this remediation. + the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_pwquality + entries before continuing this remediation. - IF - - any of the pam_pwquality - lines include {include if "with-pwquality"} -, run the following command to enable the authselect with-pwquality - feature and update the files in /etc/pam.d - to include `pam_pwquality: + any of the pam_pwquality + lines include {include if "with-pwquality"} + , run the following command to enable the authselect with-pwquality + feature and update the files in /etc/pam.d + to include `pam_pwquality: # authselect enable-feature with-pwquality - + - IF - - any of the pam_pwquality - lines exist without {include if "with-pwquality"} -, run the following command to update the files in /etc/pam.d - to include pam_pwquality.so -: + any of the pam_pwquality + lines exist without {include if "with-pwquality"} + , run the following command to update the files in /etc/pam.d + to include pam_pwquality.so + : # authselect apply-changes - + @@ -19400,8 +19400,8 @@ Run the following script to verify the Ensure pam_pwhistory module is enabled -The pam_history.so - module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. + The pam_history.so + module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. @@ -19431,56 +19431,56 @@ The pam_history.so -Run the following script to verify the pam_pwhistory.so - lines exist in the profile templates: + Run the following script to verify the pam_pwhistory.so + lines exist in the profile templates: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_module_name="pwhistory"
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_module_name="pwhistory"
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
+ } + Example Output with a custom profile named "custom-profile": -/etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+ /etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok {include if "with-pwhistory"}

-/etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok {include if "with-pwhistory"} - + /etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok {include if "with-pwhistory"} + Note: - The lines may not include {include if "with-pwhistory"} + The lines may not include {include if "with-pwhistory"} - IF - - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_pwhistory - entries before continuing this remediation. + the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_pwhistory + entries before continuing this remediation. - IF - - the lines include {include if "with-pwhistory"} -, run the following command to enable the authselect with-pwhistory - feature and update the files in /etc/pam.d - to include pam_faillock.so -: + the lines include {include if "with-pwhistory"} + , run the following command to enable the authselect with-pwhistory + feature and update the files in /etc/pam.d + to include pam_faillock.so + : # authselect enable-feature with-pwhistory - + - IF - - any of the pam_pwhistory - lines exist without {include if "with-pwhistory"} -, run the following command to update the files in /etc/pam.d - to include pam_pwhistory.so -: + any of the pam_pwhistory + lines exist without {include if "with-pwhistory"} + , run the following command to update the files in /etc/pam.d + to include pam_pwhistory.so + : # authselect apply-changes - + @@ -19497,10 +19497,10 @@ Run the following script to verify the Ensure pam_unix module is enabled -The pam_unix.so - module is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd - and the /etc/shadow - file as well if shadow is enabled. + The pam_unix.so + module is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd + and the /etc/shadow + file as well if shadow is enabled. Requiring users to use authentication make it less likely that an attacker will be able to access the system. @@ -19510,44 +19510,44 @@ The pam_unix.so -Run the following script to verify the pam_unix.so - lines exist in the profile templates: + Run the following script to verify the pam_unix.so + lines exist in the profile templates: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_module_name="unix"
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_module_name="unix"
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- "\bpam_$l_module_name\.so\b" "$l_pam_profile_path"/{password,system}-auth
+ } + Example Output with a custom profile named "custom-profile": -/etc/authselect/custom/custom-profile/password-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
-/etc/authselect/custom/custom-profile/password-auth:account required pam_unix.so
-/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok remember=5
-/etc/authselect/custom/custom-profile/password-auth:session required pam_unix.so
+ /etc/authselect/custom/custom-profile/password-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
+ /etc/authselect/custom/custom-profile/password-auth:account required pam_unix.so
+ /etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok remember=5
+ /etc/authselect/custom/custom-profile/password-auth:session required pam_unix.so

-/etc/authselect/custom/custom-profile/system-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
-/etc/authselect/custom/custom-profile/system-auth:account required pam_unix.so
-/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
-/etc/authselect/custom/custom-profile/system-auth:session required pam_unix.so - + /etc/authselect/custom/custom-profile/system-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
+ /etc/authselect/custom/custom-profile/system-auth:account required pam_unix.so
+ /etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/system-auth:session required pam_unix.so + - IF - - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_unix - entries before continuing this remediation. + the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_unix + entries before continuing this remediation. Note: - Arguments following pam_unix.so - may be different than the example output + Arguments following pam_unix.so + may be different than the example output @@ -19596,74 +19596,74 @@ Run the following script to verify the Pluggable Authentication Modules (PAM) uses arguments to pass information to a pluggable module during authentication for a particular module type. These arguments allow the PAM configuration files for particular programs to use a common PAM module but in different ways. -Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM module. When an invalid argument is passed, an error is usually written to /var/log/messages - file. However, since the reporting method is controlled by the PAM module, the module must be written correctly to log the error to this file. + Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM module. When an invalid argument is passed, an error is usually written to /var/log/messages + file. However, since the reporting method is controlled by the PAM module, the module must be written correctly to log the error to this file. Configure pam_faillock module faillock.conf provides a way to configure the default settings for locking the user after multiple failed authentication attempts. This file is read by the pam_faillock module and is the preferred method over configuring pam_faillock directly. -The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = - sign is ignored. + The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = + sign is ignored. Options: <dir=/path/to/tally-directory> - - The directory where the user files with the failure records are kept. The default is /var/run/faillock. Note: These files will disappear after reboot on systems configured with directory /var/run/faillock mounted on virtual memory. + - The directory where the user files with the failure records are kept. The default is /var/run/faillock. Note: These files will disappear after reboot on systems configured with directory /var/run/faillock mounted on virtual memory. audit - - Will log the user name into the system log if the user is not found. + - Will log the user name into the system log if the user is not found. silent - - Don't print informative messages to the user. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non-existing users. + - Don't print informative messages to the user. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non-existing users. no_log_info - - Don't log informative messages via syslog(3). + - Don't log informative messages via syslog(3). local_users_only - - Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The faillock(8) command will also no longer track user failed authentication attempts. Enabling this option will prevent a double-lockout scenario where a user is locked out locally and in the centralized mechanism. + - Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The faillock(8) command will also no longer track user failed authentication attempts. Enabling this option will prevent a double-lockout scenario where a user is locked out locally and in the centralized mechanism. nodelay - - Don't enforce a delay after authentication failures. + - Don't enforce a delay after authentication failures. deny=<n> - - Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds -. The default is 3. + - Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds + . The default is 3. fail_interval=n - - The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes). + - The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes). unlock_time=n - - The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command. The default is 600 (10 minutes). Note that the default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option. Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers. + - The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command. The default is 600 (10 minutes). Note that the default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option. Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers. even_deny_root - - Root account can become locked as well as regular accounts. + - Root account can become locked as well as regular accounts. root_unlock_time=n - - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option. + - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option. admin_group=name - - If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options even_deny_root and root_unlock_time will apply to them. By default the option is not set. + - If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options even_deny_root and root_unlock_time will apply to them. By default the option is not set. -Example /etc/security/faillock.conf - file: + Example /etc/security/faillock.conf + file: - deny=5
- unlock_time=900
- even_deny_root - + deny=5
+ unlock_time=900
+ even_deny_root + Ensure password failed attempts lockout is configured -The deny=<n> - option will deny access if the number of consecutive authentication failures for this user during the recent interval exceeds -. + The deny=<n> + option will deny access if the number of consecutive authentication failures for this user during the recent interval exceeds + . @@ -19684,16 +19684,16 @@ The deny=<n> -If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= - in the pam_faillock.so - module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset -. This command sets the failed count to 0, effectively unlocking the user. + If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= + in the pam_faillock.so + module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset + . This command sets the failed count to 0, effectively unlocking the user. -Locking out user IDs after n - unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. + Locking out user IDs after n + unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. @@ -19701,26 +19701,26 @@ Locking out user IDs after n -Create or edit the following line in /etc/security/faillock.conf - setting the deny - option to 5 - or less: + Create or edit the following line in /etc/security/faillock.conf + setting the deny + option to 5 + or less: deny = 5 - + -Run the following script to remove the deny - argument from the pam_faillock.so - module in the PAM files: + Run the following script to remove the deny + argument from the pam_faillock.so + module in the PAM files: -#!/usr/bin/env bash
-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so.*)(\s+deny\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + #!/usr/bin/env bash
+ {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so.*)(\s+deny\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -19743,9 +19743,9 @@ Run the following script to remove the unlock_time=<n> - - The access will be re-enabled after - seconds after the lock out. The value 0 - has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command. + - The access will be re-enabled after + seconds after the lock out. The value 0 + has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command. Notes: @@ -19753,8 +19753,8 @@ Run the following script to remove the unlock_time - is 604800 + The maximum configurable value for unlock_time + is 604800 @@ -19777,16 +19777,16 @@ The maximum configurable value for -If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= - in the pam_faillock.so - module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset -. This command sets the failed count to 0, effectively unlocking the user. + If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= + in the pam_faillock.so + module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset + . This command sets the failed count to 0, effectively unlocking the user. -Locking out user IDs after n - unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. + Locking out user IDs after n + unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. @@ -19794,35 +19794,35 @@ Locking out user IDs after n -Set password unlock time to conform to site policy. unlock_time - should be 0 - (never), or 900 - seconds or greater. + Set password unlock time to conform to site policy. unlock_time + should be 0 + (never), or 900 + seconds or greater. -Edit /etc/security/faillock.conf - and update or add the following line: + Edit /etc/security/faillock.conf + and update or add the following line: unlock_time = 900 - + -Run the following script to remove the unlock_time - argument from the pam_faillock.so - module in the PAM files: + Run the following script to remove the unlock_time + argument from the pam_faillock.so + module in the PAM files: -#!/usr/bin/env bash
-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so.*)(\s+unlock_time\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-}
-`` - + #!/usr/bin/env bash
+ {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so.*)(\s+unlock_time\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ }
+ `` + Impact: -Use of unlock_time=0 - may allow an attacker to cause denial of service to legitimate users. This will also require a systems administrator with elevated privileges to unlock the account. + Use of unlock_time=0 + may allow an attacker to cause denial of service to legitimate users. This will also require a systems administrator with elevated privileges to unlock the account. @@ -19846,10 +19846,10 @@ Use of unlock_time=0 even_deny_root - - Root account can become locked as well as regular accounts + - Root account can become locked as well as regular accounts root_unlock_time=n - - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option. + - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option. @@ -19870,10 +19870,10 @@ Use of unlock_time=0 -If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= - in the pam_faillock.so - module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset -. This command sets the failed count to 0, effectively unlocking the user. + If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= + in the pam_faillock.so + module, the user can be unlocked by issuing the command faillock --user &amp;lt;USERNAME&amp;amp;gt; --reset + . This command sets the failed count to 0, effectively unlocking the user. @@ -19885,41 +19885,41 @@ If a user has been locked out because they have reached the maximum consecutive -Edit /etc/security/faillock.conf -: + Edit /etc/security/faillock.conf + : -Remove or update any line containing root_unlock_time -, - OR - - set it to a value of 60 - or more + Remove or update any line containing root_unlock_time + , - OR - + set it to a value of 60 + or more Update or add the following line: even_deny_root - + -Run the following script to remove the even_deny_root - and root_unlock_time - arguments from the pam_faillock.so - module in the PAM files: + Run the following script to remove the even_deny_root + and root_unlock_time + arguments from the pam_faillock.so + module in the PAM files: -#!/usr/bin/env bash
-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*auth\s+(.*)\s+pam_faillock\.so.*)(\s+even_deny_root)(.*$)/\1\4/' "$l_authselect_file"
- sed -ri 's/(^\s*auth\s+(.*)\s+pam_faillock\.so.*)(\s+root_unlock_time\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-}
-`` - + #!/usr/bin/env bash
+ {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*auth\s+(.*)\s+pam_faillock\.so.*)(\s+even_deny_root)(.*$)/\1\4/' "$l_authselect_file"
+ sed -ri 's/(^\s*auth\s+(.*)\s+pam_faillock\.so.*)(\s+root_unlock_time\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ }
+ `` + Impact: -Use of unlock_time=0 - or root_unlock_time=0 - may allow an attacker to cause denial of service to legitimate users. + Use of unlock_time=0 + or root_unlock_time=0 + may allow an attacker to cause denial of service to legitimate users. @@ -19948,34 +19948,34 @@ Use of unlock_time=0Configure pam_pwquality module -The pam_pwquality.so - module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. + The pam_pwquality.so + module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. These checks are configurable by either: use of the module arguments -modifying the /etc/security/pwquality.conf - configuration file + modifying the /etc/security/pwquality.conf + configuration file -creating a .conf - file in the /etc/security/pwquality.conf.d/ - directory. + creating a .conf + file in the /etc/security/pwquality.conf.d/ + directory. Note: - The module arguments override the settings in the /etc/security/pwquality.conf - configuration file. Settings in the /etc/security/pwquality.conf - configuration file override settings in a .conf - file in the /etc/security/pwquality.conf.d/ - directory. + The module arguments override the settings in the /etc/security/pwquality.conf + configuration file. Settings in the /etc/security/pwquality.conf + configuration file override settings in a .conf + file in the /etc/security/pwquality.conf.d/ + directory. Ensure password number of changed characters is configured -The pwquality + The pwquality difok - option sets the number of characters in a password that must not be present in the old password. + option sets the number of characters in a password that must not be present in the old password. @@ -20006,36 +20006,36 @@ The pwquality -Create or modify a file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory or the file /etc/security/pwquality.conf - and add or modify the following line to set difok - to 2 - or more. Ensure setting conforms to local site policy: + Create or modify a file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory or the file /etc/security/pwquality.conf + and add or modify the following line to set difok + to 2 + or more. Ensure setting conforms to local site policy: difok = 2 - + Example: -# sed -ri 's/^\s*difok\s*=/# &/' /etc/security/pwquality.conf
-# printf '\n%s' "difok = 2" >> /etc/security/pwquality.conf.d/50-pwdifok.conf - + # sed -ri 's/^\s*difok\s*=/# &/' /etc/security/pwquality.conf
+ # printf '\n%s' "difok = 2" >> /etc/security/pwquality.conf.d/50-pwdifok.conf + -Run the following script to remove setting difok - on the pam_pwquality.so - module in the PAM files: + Run the following script to remove setting difok + on the pam_pwquality.so + module in the PAM files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+difok\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+difok\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20073,7 +20073,7 @@ Run the following script to remove setting minlen - - Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). Cannot be set to lower value than 6. + - Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). Cannot be set to lower value than 6. @@ -20104,33 +20104,33 @@ Run the following script to remove setting -Create or modify a file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory or the file /etc/security/pwquality.conf - and add or modify the following line to set password length of 14 - or more characters. Ensure that password length conforms to local site policy: + Create or modify a file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory or the file /etc/security/pwquality.conf + and add or modify the following line to set password length of 14 + or more characters. Ensure that password length conforms to local site policy: Example: -# sed -ri 's/^\s*minlen\s*=/# &/' /etc/security/pwquality.conf
-# printf '\n%s' "minlen = 14" >> /etc/security/pwquality.conf.d/50-pwlength.conf - + # sed -ri 's/^\s*minlen\s*=/# &/' /etc/security/pwquality.conf
+ # printf '\n%s' "minlen = 14" >> /etc/security/pwquality.conf.d/50-pwlength.conf + -Run the following script to remove setting minlen - on the pam_pwquality.so - module in the PAM files: + Run the following script to remove setting minlen + on the pam_pwquality.so + module in the PAM files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+minlen\s*=\s*[0-9]+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+minlen\s*=\s*[0-9]+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20170,25 +20170,25 @@ Run the following script to remove setting minclass - - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 - requires digits, uppercase, lower case, and special characters. + - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 + requires digits, uppercase, lower case, and special characters. dcredit - - The maximum credit for having digits in the new password. If less than 0 - it is the minimum number of digits in the new password. e.g. dcredit = -1 - requires at least one digit + - The maximum credit for having digits in the new password. If less than 0 + it is the minimum number of digits in the new password. e.g. dcredit = -1 + requires at least one digit ucredit - - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 - requires at least one uppercase character + - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 + requires at least one uppercase character ocredit - - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 - requires at least one special character + - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 + requires at least one special character lcredit - - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 - requires at least one lowercase character + - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 + requires at least one lowercase character @@ -20221,10 +20221,10 @@ Run the following script to remove setting -Create or modify a file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory or the file /etc/security/pwquality.conf - and add or modify the following line to set: + Create or modify a file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory or the file /etc/security/pwquality.conf + and add or modify the following line to set: minclass = 4 @@ -20251,39 +20251,39 @@ Create or modify a file ending in -# sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf
-# printf '\n%s' "minclass = 4" >> /etc/security/pwquality.conf.d/50-pwcomplexity.conf - + # sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf
+ # printf '\n%s' "minclass = 4" >> /etc/security/pwquality.conf.d/50-pwcomplexity.conf + --AND/OR-- -# sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf
-# printf '%s\n' "dcredit = -1" "ucredit = -1" "ocredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf - + # sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf
+ # printf '%s\n' "dcredit = -1" "ucredit = -1" "ocredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf + -Run the following script to remove setting minclass -, dcredit -, ucredit -, lcredit -, and ocredit - on the pam_pwquality.so - module in the PAM files + Run the following script to remove setting minclass + , dcredit + , ucredit + , lcredit + , and ocredit + on the pam_pwquality.so + module in the PAM files -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+minclass\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+dcredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ucredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+lcredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ocredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+minclass\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+dcredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ucredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+lcredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+ocredit\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20298,9 +20298,9 @@ Run the following script to remove setting Ensure password same consecutive characters is configured -The pwquality + The pwquality maxrepeat - option sets the maximum number of allowed same consecutive characters in a new password. + option sets the maximum number of allowed same consecutive characters in a new password. @@ -20331,35 +20331,35 @@ The pwquality -Create or modify a file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory or the file /etc/security/pwquality.conf - and add or modify the following line to set maxrepeat - to 3 - or less and not 0 -. Ensure setting conforms to local site policy: + Create or modify a file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory or the file /etc/security/pwquality.conf + and add or modify the following line to set maxrepeat + to 3 + or less and not 0 + . Ensure setting conforms to local site policy: Example: -# sed -ri 's/^\s*maxrepeat\s*=/# &/' /etc/security/pwquality.conf
-# printf '\n%s' "maxrepeat = 3" >> /etc/security/pwquality.conf.d/50-pwrepeat.conf - + # sed -ri 's/^\s*maxrepeat\s*=/# &/' /etc/security/pwquality.conf
+ # printf '\n%s' "maxrepeat = 3" >> /etc/security/pwquality.conf.d/50-pwrepeat.conf + -Run the following script to remove setting maxrepeat - on the pam_pwquality.so - module in the PAM files: + Run the following script to remove setting maxrepeat + on the pam_pwquality.so + module in the PAM files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+maxrepeat\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+maxrepeat\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20396,15 +20396,15 @@ Run the following script to remove setting Ensure password maximum sequential characters is configured -The pwquality + The pwquality maxsequence - option sets the maximum length of monotonic character sequences in the new password. Examples of such sequence are 12345 - or fedcb -. The check is disabled if the value is 0 -. + option sets the maximum length of monotonic character sequences in the new password. Examples of such sequence are 12345 + or fedcb + . The check is disabled if the value is 0 + . Note: - Most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. + Most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. @@ -20435,35 +20435,35 @@ The pwquality -Create or modify a file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory or the file /etc/security/pwquality.conf - and add or modify the following line to set maxsequence - to 3 - or less and not 0 -. Ensure setting conforms to local site policy: + Create or modify a file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory or the file /etc/security/pwquality.conf + and add or modify the following line to set maxsequence + to 3 + or less and not 0 + . Ensure setting conforms to local site policy: Example: -# sed -ri 's/^\s*maxsequence\s*=/# &/' /etc/security/pwquality.conf
-# printf '\n%s' "maxsequence = 3" >> /etc/security/pwquality.conf.d/50-pwmaxsequence.conf - + # sed -ri 's/^\s*maxsequence\s*=/# &/' /etc/security/pwquality.conf
+ # printf '\n%s' "maxsequence = 3" >> /etc/security/pwquality.conf.d/50-pwmaxsequence.conf + -Run the following script to remove setting maxsequence - on the pam_pwquality.so - module in the PAM files: + Run the following script to remove setting maxsequence + on the pam_pwquality.so + module in the PAM files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+maxsequence\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+maxsequence\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20500,10 +20500,10 @@ Run the following script to remove setting Ensure password dictionary check is enabled -The pwquality + The pwquality dictcheck - option sets whether to check for the words from the cracklib - dictionary. + option sets whether to check for the words from the cracklib + dictionary. @@ -20533,31 +20533,31 @@ The pwquality -Edit any file ending in .conf - in the /etc/security/pwquality.conf.d/ - directory and/or the file /etc/security/pwquality.conf - and comment out or remove any instance of dictcheck = 0 -: + Edit any file ending in .conf + in the /etc/security/pwquality.conf.d/ + directory and/or the file /etc/security/pwquality.conf + and comment out or remove any instance of dictcheck = 0 + : Example: # sed -ri 's/^\s*dictcheck\s*=/# &/' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - + -Run the following script to remove setting dictcheck - on the pam_pwquality.so - module in the PAM files: + Run the following script to remove setting dictcheck + on the pam_pwquality.so + module in the PAM files: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+dictcheck\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so.*)(\s+dictcheck\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20584,13 +20584,13 @@ Run the following script to remove setting Ensure password quality is enforced for the root user -If the pwquality + If the pwquality enforce_for_root - option is enabled, the module will return error on failed check even if the user changing the password is root. + option is enabled, the module will return error on failed check even if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note: - The root is not asked for an old password so the checks that compare the old and new password are not performed. + The root is not asked for an old password so the checks that compare the old and new password are not performed. @@ -20621,15 +20621,15 @@ If the pwquality -Edit or add the following line in a *.conf - file in /etc/security/pwquality.conf.d - or in /etc/security/pwquality.conf -: + Edit or add the following line in a *.conf + file in /etc/security/pwquality.conf.d + or in /etc/security/pwquality.conf + : Example: printf '\n%s\n' "enforce_for_root" >> /etc/security/pwquality.conf.d/50-pwroot.conf - + @@ -20648,108 +20648,108 @@ Edit or add the following line in a pam_pwhistory - - PAM module to remember last passwords + - PAM module to remember last passwords pam_history.so - module - This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. + module - This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. -This module does not work together with kerberos. In general, it does not make much sense to use this module in conjunction with NIS - or LDAP -, since the old passwords are stored on the local machine and are not available on another machine for password history checking. + This module does not work together with kerberos. In general, it does not make much sense to use this module in conjunction with NIS + or LDAP + , since the old passwords are stored on the local machine and are not available on another machine for password history checking. Options: debug - - Turns on debugging via syslog(3). + - Turns on debugging via syslog(3). use_authtok - - When password changing enforce the module to use the new password provided by a previously stacked password module (this is used in the example of the stacking of the pam_passwdqc module - documented below). + - When password changing enforce the module to use the new password provided by a previously stacked password module (this is used in the example of the stacking of the pam_passwdqc module + documented below). enforce_for_root - - If this option is set, the check is enforced for root, too. + - If this option is set, the check is enforced for root, too. remember=<N> - - The last <N> - passwords for each user are saved. The default is 10 -. Value of 0 - makes the module to keep the existing contents of the opasswd file unchanged. + - The last <N> + passwords for each user are saved. The default is 10 + . Value of 0 + makes the module to keep the existing contents of the opasswd file unchanged. retry=<N> - - Prompt user at most <N> - times before returning with error. The default is 1 -. + - Prompt user at most <N> + times before returning with error. The default is 1 + . authtok_type=<STRING> - - See pam_get_authtok(3) for more details. + - See pam_get_authtok(3) for more details. conf=</path/to/config-file> - - Use another configuration file instead of the default /etc/security/pwhistory.conf -. + - Use another configuration file instead of the default /etc/security/pwhistory.conf + . Examples: -An example password section would be:
+ An example password section would be:

- #%PAM-1.0
- password required pam_pwhistory.so
- password required pam_unix.so use_authtok
+ #%PAM-1.0
+ password required pam_pwhistory.so
+ password required pam_unix.so use_authtok

-In combination with pam_passwdqc:
+ In combination with pam_passwdqc:

- #%PAM-1.0
- password required pam_passwdqc.so config=/etc/passwdqc.conf
- password required pam_pwhistory.so use_authtok
- password required pam_unix.so use_authtok - + #%PAM-1.0
+ password required pam_passwdqc.so config=/etc/passwdqc.conf
+ password required pam_pwhistory.so use_authtok
+ password required pam_unix.so use_authtok + The options for configuring the module behavior are described in the pwhistory.conf(5) manual page. The options specified on the module command line override the values from the configuration file. pwhistory.conf - provides a way to configure the default settings for saving the last passwords for each user. This file is read by the pam_pwhistory module and is the preferred method over configuring pam_pwhistory directly. + provides a way to configure the default settings for saving the last passwords for each user. This file is read by the pam_pwhistory module and is the preferred method over configuring pam_pwhistory directly. -The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = - sign is ignored. + The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = + sign is ignored. Options: debug - - Turns on debugging via syslog(3). + - Turns on debugging via syslog(3). enforce_for_root - - If this option is set, the check is enforced for root, too. + - If this option is set, the check is enforced for root, too. remember=<N> - - The last <N> - passwords for each user are saved. The default is 10 -. Value of 0 - makes the module to keep the existing contents of the opasswd file unchanged. + - The last <N> + passwords for each user are saved. The default is 10 + . Value of 0 + makes the module to keep the existing contents of the opasswd file unchanged. retry=<N> - - Prompt user at most <N> - times before returning with error. The default is 1 -. + - Prompt user at most <N> + times before returning with error. The default is 1 + . file=</path/filename> - - Store password history in file + - Store password history in file </path/filename> - rather than the default location. The default location is /etc/security/opasswd -. + rather than the default location. The default location is /etc/security/opasswd + . Ensure password history remember is configured -The /etc/security/opasswd - file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. The number of passwords remembered is set via the remember argument value in set for the pam_pwhistory - module. + The /etc/security/opasswd + file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. The number of passwords remembered is set via the remember argument value in set for the pam_pwhistory + module. -remember=<N> - <N> - is the number of old passwords to remember + remember=<N> - <N> + is the number of old passwords to remember @@ -20774,7 +20774,7 @@ remember=<N> - <N> Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password. Note: - These change only apply to accounts configured on the local system. + These change only apply to accounts configured on the local system. @@ -20783,27 +20783,27 @@ remember=<N> - <N> -Edit or add the following line in /etc/security/pwhistory.conf -: + Edit or add the following line in /etc/security/pwhistory.conf + : remember = 24 - + -Run the following script to remove the remember - argument from the pam_pwhistory.so - module in /etc/pam.d/system-auth - and /etc/pam.d/password-auth -: + Run the following script to remove the remember + argument from the pam_pwhistory.so + module in /etc/pam.d/system-auth + and /etc/pam.d/password-auth + : -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so.*)(\s+remember\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
- done
- authselect apply-changes
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so.*)(\s+remember\s*=\s*\S+)(.*$)/\1\4/' "$l_authselect_file"
+ done
+ authselect apply-changes
+ } + @@ -20825,9 +20825,9 @@ Run the following script to remove the Ensure password history is enforced for the root user -If the pwhistory + If the pwhistory enforce_for_root - option is enabled, the module will enforce password history for the root user as well + option is enabled, the module will enforce password history for the root user as well @@ -20851,7 +20851,7 @@ If the pwhistory Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password Note: - These change only apply to accounts configured on the local system. + These change only apply to accounts configured on the local system. @@ -20860,10 +20860,10 @@ If the pwhistory -Edit or add the following line in /etc/security/pwhistory.conf -: + Edit or add the following line in /etc/security/pwhistory.conf + : enforce_for_root - + @@ -20878,7 +20878,7 @@ Edit or add the following line in use_authtok - - When password changing enforce the module to set the new password to the one provided by a previously stacked password module + - When password changing enforce the module to set the new password to the one provided by a previously stacked password module @@ -20901,7 +20901,7 @@ Edit or add the following line in use_authtok - allows multiple pam modules to confirm a new password before it is accepted. + allows multiple pam modules to confirm a new password before it is accepted. @@ -20910,63 +20910,63 @@ Edit or add the following line in use_authtok - on the password stack's pam_pwhistory.so - module lines: + Run the following script to verify the active authselect profile includes use_authtok + on the password stack's pam_pwhistory.so + module lines: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_pam_profile_path"/{password,system}-auth
+ } + Example output: -/etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok
+ /etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok

-/etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok - + /etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok + - IF - - the output does not include use_authtok -, run the following script: + the output does not include use_authtok + , run the following script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
- if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_authselect_file"; then
- echo "- \"use_authtok\" is already set"
- else
- echo "- \"use_authtok\" is not set. Updating template"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$l_authselect_file"
- fi
- done
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
+ if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_authselect_file"; then
+ echo "- \"use_authtok\" is already set"
+ else
+ echo "- \"use_authtok\" is not set. Updating template"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+.*)$/& use_authtok/g' "$l_authselect_file"
+ fi
+ done
+ } + -Run the following command to update the password-auth - and system-auth - files in /etc/pam.d - to include the use_authtok - argument on the password stack's pam_pwhistory.so - lines: + Run the following command to update the password-auth + and system-auth + files in /etc/pam.d + to include the use_authtok + argument on the password stack's pam_pwhistory.so + lines: # authselect apply-changes - + @@ -20984,18 +20984,18 @@ Run the following command to update the Configure pam_unix module -The pam_unix.so - module is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd - and the /etc/shadow - file as well if shadow is enabled. + The pam_unix.so + module is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd + and the /etc/shadow + file as well if shadow is enabled. Ensure pam_unix does not include nullok -The nullok - argument overrides the default action of pam_unix.so - to not permit the user access to a service if their official password is blank. + The nullok + argument overrides the default action of pam_unix.so + to not permit the user access to a service if their official password is blank. @@ -21024,67 +21024,67 @@ The nullok -Run the following script to verify that the active authselect profile's system-auth - and password-auth - files include {if not "without-nullok":nullok} + Run the following script to verify that the active authselect profile's system-auth + and password-auth + files include {if not "without-nullok":nullok} - OR - - don't include the nullok - option on the pam_unix.so - module: + don't include the nullok + option on the pam_unix.so + module: -{
- l_module_name="unix"
- l_profile_name="$(head -1 /etc/authselect/authselect.conf)"
- if [[ ! "$l_profile_name" =~ ^custom\/ ]]; then
- echo " - Follow Recommendation \"Ensure custom authselect profile is used\" and then return to this Recommendation"
- else
- grep -P -- "\bpam_$l_module_name\.so\b" /etc/authselect/$l_profile_name/{password,system}-auth
- fi
-} - + {
+ l_module_name="unix"
+ l_profile_name="$(head -1 /etc/authselect/authselect.conf)"
+ if [[ ! "$l_profile_name" =~ ^custom\/ ]]; then
+ echo " - Follow Recommendation \"Ensure custom authselect profile is used\" and then return to this Recommendation"
+ else
+ grep -P -- "\bpam_$l_module_name\.so\b" /etc/authselect/$l_profile_name/{password,system}-auth
+ fi
+ } + Example output with a custom profile named "custom-profile": -/etc/authselect/custom/custom-profile/password-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
-/etc/authselect/custom/custom-profile/password-auth:account required pam_unix.so
-/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
-/etc/authselect/custom/custom-profile/password-auth:session required pam_unix.so
+ /etc/authselect/custom/custom-profile/password-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
+ /etc/authselect/custom/custom-profile/password-auth:account required pam_unix.so
+ /etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/password-auth:session required pam_unix.so

-/etc/authselect/custom/custom-profile/system-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
-/etc/authselect/custom/custom-profile/system-auth:account required pam_unix.so
-/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
-/etc/authselect/custom/custom-profile/system-auth:session required pam_unix.so - + /etc/authselect/custom/custom-profile/system-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
+ /etc/authselect/custom/custom-profile/system-auth:account required pam_unix.so
+ /etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/system-auth:session required pam_unix.so + - IF - - any line is returned with nullok - that doesn't also include {if not "without-nullok":nullok} -, run the following script: + any line is returned with nullok + that doesn't also include {if not "without-nullok":nullok} + , run the following script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- for l_pam_file in system-auth password-auth; do
- l_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$/\1\2\4/g' $l_file
- done
-} - + {
+ for l_pam_file in system-auth password-auth; do
+ l_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$/\1\2\4/g' $l_file
+ done
+ } + - IF - - any line is returned with {if not "without-nullok":nullok} -, run the following command to enable the authselect without-nullok - feature: + any line is returned with {if not "without-nullok":nullok} + , run the following command to enable the authselect without-nullok + feature: # authselect enable-feature without-nullok - + -Run the following command to update the files in /etc/pam.d - to include pam_unix.so - without the nullok - argument: + Run the following command to update the files in /etc/pam.d + to include pam_unix.so + without the nullok + argument: # authselect apply-changes - + @@ -21101,14 +21101,14 @@ Run the following command to update the files in Ensure pam_unix does not include remember -The remember=n - argument saves the last n passwords for each user in /etc/security/opasswd - in order to force password change history and keep the user from alternating between the same password too frequently. The MD5 password hash algorithm is used for storing the old passwords. Instead of this option the pam_pwhistory - module should be used. The pam_pwhistory - module saves the last n passwords for each user in /etc/security/opasswd - using the password hash algorithm set on the pam_unix - module. This allows for the sha512 - hash algorithm to be used. + The remember=n + argument saves the last n passwords for each user in /etc/security/opasswd + in order to force password change history and keep the user from alternating between the same password too frequently. The MD5 password hash algorithm is used for storing the old passwords. Instead of this option the pam_pwhistory + module should be used. The pam_pwhistory + module saves the last n passwords for each user in /etc/security/opasswd + using the password hash algorithm set on the pam_unix + module. This allows for the sha512 + hash algorithm to be used. @@ -21130,9 +21130,9 @@ The remember=n -The remember=n - argument should be removed to ensure a strong password hashing algorithm is being used. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user's old passwords stored in /etc/security/opasswd -. + The remember=n + argument should be removed to ensure a strong password hashing algorithm is being used. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user's old passwords stored in /etc/security/opasswd + . @@ -21140,57 +21140,57 @@ The remember=n -Run the following script to verify the active authselect profile doesn't include the remember - argument on the pam_unix.so - module lines: + Run the following script to verify the active authselect profile doesn't include the remember + argument on the pam_unix.so + module lines: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- '^\h*password\h+([^#\n\r]+\h+)pam_unix\.so\b' "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- '^\h*password\h+([^#\n\r]+\h+)pam_unix\.so\b' "$l_pam_profile_path"/{password,system}-auth
+ } + Output should be similar to: -/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

-/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok - + /etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + - IF - - any line includes remember= -, run the following script to remove the remember= - from the pam_unix.so - lines in the active authselect profile password-auth - and system-auth` templates: + any line includes remember= + , run the following script to remove the remember= + from the pam_unix.so + lines in the active authselect profile password-auth + and system-auth` templates: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(remember=[1-9][0-9]*)(\s*.*)$/\1\4/g' "$l_authselect_file"
- done
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(remember=[1-9][0-9]*)(\s*.*)$/\1\4/g' "$l_authselect_file"
+ done
+ } + -Run the following command to update the password-auth - and system-auth files in -/etc/pam.d to include pam_unix.so without the remember - argument: + Run the following command to update the password-auth + and system-auth files in + /etc/pam.d to include pam_unix.so without the remember + argument: # authselect apply-changes - + @@ -21229,17 +21229,17 @@ Run the following command to update the # awk -F: '( $3&amp;amp;lt;'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' &amp;amp;&amp;amp; $1 != "nfsnobody" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0 - + -The SHA-512 - and yescrypt - algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords. + The SHA-512 + and yescrypt + algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords. Note: - These changes only apply to the local system. + These changes only apply to the local system. @@ -21252,77 +21252,77 @@ The SHA-512 -It is highly recommended that the chosen hashing algorithm is consistent across /etc/libuser.conf -, /etc/login.defs -, /etc/pam.d/password-auth -, and /etc/pam.d/system-auth -. + It is highly recommended that the chosen hashing algorithm is consistent across /etc/libuser.conf + , /etc/login.defs + , /etc/pam.d/password-auth + , and /etc/pam.d/system-auth + . -This only effects local users and passwords created after updating the files to use sha512 - or yescrypt -. If it is determined that the password algorithm being used is not sha512 - or yescrypt -, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login. + This only effects local users and passwords created after updating the files to use sha512 + or yescrypt + . If it is determined that the password algorithm being used is not sha512 + or yescrypt + , once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login. Run the following script to verify the active authselect profile includes a strong password hashing algorithm on the password stack's pam_unix.so module lines: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' "$l_pam_profile_path"/{password,system}-auth
+ } + Example output: -/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

-/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok - + /etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + - IF - - the output does not include either sha512 + the output does not include either sha512 - OR - yescrypt -, or includes a different hashing algorithm, run the following script: + , or includes a different hashing algorithm, run the following script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
- if grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' "$l_authselect_file"; then
- echo "- A strong password hashing algorithm is correctly set"
- elif grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?(md5|bigcrypt|sha256|blowfish)\b' "$l_authselect_file"; then
- echo "- A weak password hashing algorithm is set, updating to \"sha512\""
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(md5|bigcrypt|sha256|blowfish)(\s*.*)$/\1\4 sha512/g' "$l_authselect_file"
- else
- echo "No password hashing algorithm is set, updating to \"sha512\""
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)$/& sha512/g' "$l_authselect_file"
- fi
- done
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
+ if grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' "$l_authselect_file"; then
+ echo "- A strong password hashing algorithm is correctly set"
+ elif grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?(md5|bigcrypt|sha256|blowfish)\b' "$l_authselect_file"; then
+ echo "- A weak password hashing algorithm is set, updating to \"sha512\""
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(md5|bigcrypt|sha256|blowfish)(\s*.*)$/\1\4 sha512/g' "$l_authselect_file"
+ else
+ echo "No password hashing algorithm is set, updating to \"sha512\""
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)$/& sha512/g' "$l_authselect_file"
+ fi
+ done
+ } + -Run the following command to update the password-auth - and system-auth - files in /etc/pam.d - to include pam_unix.so - with a strong password hashing algorithm argument: + Run the following command to update the password-auth + and system-auth + files in /etc/pam.d + to include pam_unix.so + with a strong password hashing algorithm argument: # authselect apply-changes - + @@ -21340,7 +21340,7 @@ Run the following command to update the use_authtok - - When password changing enforce the module to set the new password to the one provided by a previously stacked password module + - When password changing enforce the module to set the new password to the one provided by a previously stacked password module @@ -21363,7 +21363,7 @@ Run the following command to update the use_authtok - allows multiple pam modules to confirm a new password before it is accepted. + allows multiple pam modules to confirm a new password before it is accepted. @@ -21372,63 +21372,63 @@ Run the following command to update the use_authtok - on the password stack's pam_unix.so - module lines: + Run the following script to verify the active authselect profile includes use_authtok + on the password stack's pam_unix.so + module lines: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_pam_profile_path"/{password,system}-auth
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_pam_profile_path"/{password,system}-auth
+ } + Example output: -/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+ /etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

-/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok - + /etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + - IF - - the output does not include use_authtok -, run the following script: + the output does not include use_authtok + , run the following script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
- if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
- l_pam_profile_path="/etc/authselect/$l_pam_profile"
- else
- l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
- fi
- for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
- if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_authselect_file"; then
- echo "- \"use_authtok\" is already set"
- else
- echo "- \"use_authtok\" is not set. Updating template"
- sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)$/& use_authtok/g' "$l_authselect_file"
- fi
- done
-} - + {
+ l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
+ if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
+ l_pam_profile_path="/etc/authselect/$l_pam_profile"
+ else
+ l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
+ fi
+ for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
+ if grep -Pq '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' "$l_authselect_file"; then
+ echo "- \"use_authtok\" is already set"
+ else
+ echo "- \"use_authtok\" is not set. Updating template"
+ sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)$/& use_authtok/g' "$l_authselect_file"
+ fi
+ done
+ } + -Run the following command to update the password-auth - and system-auth - files in /etc/pam.d - to include the use_authtok - argument on the password stack's pam_unix.so - lines: + Run the following command to update the password-auth + and system-auth + files in /etc/pam.d + to include the use_authtok + argument on the password stack's pam_unix.so + lines: # authselect apply-changes - + @@ -21453,22 +21453,22 @@ Run the following command to update the Configure shadow password suite parameters -While a majority of the password control parameters have been moved to PAM, some parameters are still available through the shadow password suite. Any changes made to /etc/login.defs -will only be applied if the usermod -command is used. If user IDs are added a different way, use the chage -command to effect changes to individual user IDs. + While a majority of the password control parameters have been moved to PAM, some parameters are still available through the shadow password suite. Any changes made to /etc/login.defs + will only be applied if the usermod + command is used. If user IDs are added a different way, use the chage + command to effect changes to individual user IDs. Ensure password expiration is configured -The PASS_MAX_DAYS - parameter in /etc/login.defs - allows an administrator to force passwords to expire once they reach a defined age. + The PASS_MAX_DAYS + parameter in /etc/login.defs + allows an administrator to force passwords to expire once they reach a defined age. PASS_MAX_DAYS <N> - - The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction). + - The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction). @@ -21503,47 +21503,47 @@ The PASS_MAX_DAYS -Set the PASS_MAX_DAYS - parameter to conform to site policy in /etc/login.defs - : + Set the PASS_MAX_DAYS + parameter to conform to site policy in /etc/login.defs + : PASS_MAX_DAYS 365 - + Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user> - + -Edit /etc/login.defs - and set PASS_MAX_DAYS - to a value greater than 0 - that follows local site policy: + Edit /etc/login.defs + and set PASS_MAX_DAYS + to a value greater than 0 + that follows local site policy: Example: PASS_MAX_DAYS 365 - + -Run the following command to modify user parameters for all users with a password set to a maximum age no greater than 365 - or less than 1 - that follows local site policy: + Run the following command to modify user parameters for all users with a password set to a maximum age no greater than 365 + or less than 1 + that follows local site policy: # chage --maxdays <N> <user> - + Example: # awk -F: '($2~/^\$.+\$/) {if($5 > 365 || $5 < 1)system ("chage --maxdays 365 " $1)}' /etc/shadow - + Warning: - If a password has been set at system install or kickstart, the last change date - field is not set, In this case, setting PASS_MAX_DAYS - will immediately expire the password. One possible solution is to populate the last change date - field through a command like: chage -d "$(date +%Y-%m-%d)" root + If a password has been set at system install or kickstart, the last change date + field is not set, In this case, setting PASS_MAX_DAYS + will immediately expire the password. One possible solution is to populate the last change date + field through a command like: chage -d "$(date +%Y-%m-%d)" root Impact: The password expiration must be greater than the minimum days between password changes or users will be unable to change their password. Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for -example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not limited to: + example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not limited to: Indication of compromise Change of user roles @@ -21577,8 +21577,8 @@ example). Also, password expiration requirements offer no containment benefits b PASS_MIN_DAYS - < N -> - The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, 0 will be assumed (which disables the restriction). + < N + > - The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, 0 will be assumed (which disables the restriction). @@ -21609,30 +21609,30 @@ example). Also, password expiration requirements offer no containment benefits b -Edit /etc/login.defs - and set PASS_MIN_DAYS - to a value greater than 0 - that follows local site policy: + Edit /etc/login.defs + and set PASS_MIN_DAYS + to a value greater than 0 + that follows local site policy: Example: PASS_MIN_DAYS 1 - + Run the following command to modify user parameters for all users with a password set to a minimum days greater than zero that follows local site policy: # chage --mindays <N> <user> - + Example: # awk -F: '($2~/^\$.+\$/) {if($4 < 1)system ("chage --mindays 1 " $1)}' /etc/shadow - + Impact: If a users password is set by other personnel as a procedure in dealing with a lost or expired password, the user should be forced to update this "set" password with their own password. e.g. force "change at next logon". -If it is not possible to have a user set their own password immediately, and this recommendation or local site procedure may cause a user to continue using a third party generated password, PASS_MIN_DAYS - for the effected user should be temporally changed to 0 -, to allow a user to change their password immediately. + If it is not possible to have a user set their own password immediately, and this recommendation or local site procedure may cause a user to continue using a third party generated password, PASS_MIN_DAYS + for the effected user should be temporally changed to 0 + , to allow a user to change their password immediately. For applications where the user is not using the password at console, the ability to "change at next logon" may be limited. This may cause a user to continue to use a password created by other personnel. @@ -21653,13 +21653,13 @@ If it is not possible to have a user set their own password immediately, and thi Ensure password expiration warning days is configured -The PASS_WARN_AGE - parameter in /etc/login.defs - allows an administrator to notify users that their password will expire in a defined number of days. + The PASS_WARN_AGE + parameter in /etc/login.defs + allows an administrator to notify users that their password will expire in a defined number of days. PASS_WARN_AGE <N> - - The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided. + - The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided. @@ -21688,25 +21688,25 @@ The PASS_WARN_AGE -Edit /etc/login.defs - and set PASS_WARN_AGE - to a value of 7 - or more that follows local site policy: + Edit /etc/login.defs + and set PASS_WARN_AGE + to a value of 7 + or more that follows local site policy: Example: PASS_WARN_AGE 7 - + -Run the following command to modify user parameters for all users with a password set to a minimum warning to 7 - or more days that follows local site policy: + Run the following command to modify user parameters for all users with a password set to a minimum warning to 7 + or more days that follows local site policy: # chage --warndays <N> <user> - + Example: # awk -F: '($2~/^\$.+\$/) {if($6 < 7)system ("chage --warndays 7 " $1)}' /etc/shadow - + @@ -21727,34 +21727,34 @@ Run the following command to modify user parameters for all users with a passwor A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password. ENCRYPT_METHOD - (string) - This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values: + (string) - This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values: MD5 - - MD5-based algorithm will be used for encrypting password + - MD5-based algorithm will be used for encrypting password SHA256 - - SHA256-based algorithm will be used for encrypting password + - SHA256-based algorithm will be used for encrypting password SHA512 - - SHA512-based algorithm will be used for encrypting password + - SHA512-based algorithm will be used for encrypting password BCRYPT - - BCRYPT-based algorithm will be used for encrypting password + - BCRYPT-based algorithm will be used for encrypting password YESCRYPT - - YESCRYPT-based algorithm will be used for encrypting password + - YESCRYPT-based algorithm will be used for encrypting password DES - - DES-based algorithm will be used for encrypting password (default) + - DES-based algorithm will be used for encrypting password (default) Note: -This parameter overrides the deprecated MD5_CRYPT_ENAB - variable. + This parameter overrides the deprecated MD5_CRYPT_ENAB + variable. This parameter will only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM configuration. It is recommended to set this variable consistently with the PAM configuration. @@ -21780,9 +21780,9 @@ This parameter overrides the deprecated -The SHA-512 - and yescrypt - algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords. + The SHA-512 + and yescrypt + algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords. @@ -21791,33 +21791,33 @@ The SHA-512 -Edit /etc/login.defs - and set the ENCRYPT_METHOD - to SHA512 - or YESCRYPT -: + Edit /etc/login.defs + and set the ENCRYPT_METHOD + to SHA512 + or YESCRYPT + : ENCRYPT_METHOD <HASHING_ALGORITHM> - + Example: ENCRYPT_METHOD YESCRYPT - + Note: -This only effects local groups' passwords created after updating the file to use sha512 - or yescrypt -. + This only effects local groups' passwords created after updating the file to use sha512 + or yescrypt + . -If it is determined that the password algorithm being used is not sha512 - or yescrypt -, once it is changed, it is recommended that all group passwords be updated to use the stronger hashing algorithm. + If it is determined that the password algorithm being used is not sha512 + or yescrypt + , once it is changed, it is recommended that all group passwords be updated to use the stronger hashing algorithm. -It is recommended that the chosen hashing algorithm is consistent across /etc/login.defs - and the PAM configuration + It is recommended that the chosen hashing algorithm is consistent across /etc/login.defs + and the PAM configuration @@ -21834,11 +21834,11 @@ It is recommended that the chosen hashing algorithm is consistent across User accounts that have been inactive for over a given period of time can be automatically disabled. INACTIVE - - Defines the number of days after the password exceeded its maximum age where the user is expected to replace this password. + - Defines the number of days after the password exceeded its maximum age where the user is expected to replace this password. -The value is stored in the shadow password file. An input of 0 - will disable an expired password with no delay. An input of -1 - will blank the respective field in the shadow password file. + The value is stored in the shadow password file. An input of 0 + will disable an expired password with no delay. An input of -1 + will blank the respective field in the shadow password file. @@ -21872,22 +21872,22 @@ The value is stored in the shadow password file. An input of Run the following command to set the default password inactivity period to 45 days or less that meets local site policy: # useradd -D -f <N> - + Example: # useradd -D -f 45 - + -Run the following command to modify user parameters for all users with a password set to a inactive age of 45 - days or less that follows local site policy: + Run the following command to modify user parameters for all users with a password set to a inactive age of 45 + days or less that follows local site policy: # chage --inactive <N> <user> - + Example: # awk -F: '($2~/^\$.+\$/) {if($7 > 45 || $7 < 0)system ("chage --inactive 45 " $1)}' /etc/shadow - + @@ -21962,23 +21962,23 @@ Run the following command to modify user parameters for all users with a passwor -This access must be limited to only the default root - account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in the Recommendation "Ensure access to the su command is restricted". + This access must be limited to only the default root + account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in the Recommendation "Ensure access to the su command is restricted". NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 -Run the following command to change the root - account UID to 0 -: + Run the following command to change the root + account UID to 0 + : # usermod -u 0 root - + -Modify any users other than root - with UID 0 - and assign them a new UID. + Modify any users other than root + with UID 0 + and assign them a new UID. @@ -21994,10 +21994,10 @@ Modify any users other than r Ensure root is the only GID 0 account -The usermod - command can be used to specify which group the root - account belongs to. This affects permissions of files that are created by the root - account. + The usermod + command can be used to specify which group the root + account belongs to. This affects permissions of files that are created by the root + account. @@ -22019,9 +22019,9 @@ The usermod -Using GID 0 for the root - account helps prevent root - -owned files from accidentally becoming accessible to non-privileged users. + Using GID 0 for the root + account helps prevent root + -owned files from accidentally becoming accessible to non-privileged users. @@ -22030,20 +22030,20 @@ Using GID 0 for the root -Run the following command to set the root - user's GID to 0 -: + Run the following command to set the root + user's GID to 0 + : # usermod -g 0 root - + -Run the following command to set the root - group's GID to 0 -: + Run the following command to set the root + group's GID to 0 + : # groupmod -g 0 root - + -Remove any users other than the root - user with GID 0 or assign them a new GID if appropriate. + Remove any users other than the root + user with GID 0 or assign them a new GID if appropriate. @@ -22059,10 +22059,10 @@ Remove any users other than the Ensure group root is the only GID 0 group -The groupmod - command can be used to specify which group the root - group belongs to. This affects permissions of files that are group owned by the root - group. + The groupmod + command can be used to specify which group the root + group belongs to. This affects permissions of files that are group owned by the root + group. @@ -22084,9 +22084,9 @@ The groupmod -Using GID 0 for the root - group helps prevent root - group owned files from accidentally becoming accessible to non-privileged users. + Using GID 0 for the root + group helps prevent root + group owned files from accidentally becoming accessible to non-privileged users. @@ -22095,14 +22095,14 @@ Using GID 0 for the root -Run the following command to set the root - group's GID to 0 -: + Run the following command to set the root + group's GID to 0 + : # groupmod -g 0 root - + -Remove any groups other than the root - group with GID 0 or assign them a new GID if appropriate. + Remove any groups other than the root + group with GID 0 or assign them a new GID if appropriate. @@ -22139,8 +22139,8 @@ Remove any groups other than the -Access to root - should be secured at all times. + Access to root + should be secured at all times. @@ -22148,18 +22148,18 @@ Access to root -Run the following command to set a password for the root - user: + Run the following command to set a password for the root + user: # passwd root - + - OR - -Run the following command to lock the root - user account: + Run the following command to lock the root + user account: # usermod -L root - + Impact: If there are any automated processes that relies on access to the root account without authentication, they will fail after remediation. @@ -22182,15 +22182,15 @@ Run the following command to lock the Ensure root path integrity -The root - user can execute any command on the system and could be fooled into executing programs unintentionally if the PATH - is not set correctly. + The root + user can execute any command on the system and could be fooled into executing programs unintentionally if the PATH + is not set correctly. -Including the current working directory (.) or other writable directory in root -'s executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root - to execute a Trojan horse program. + Including the current working directory (.) or other writable directory in root + 's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root + to execute a Trojan horse program. NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 @@ -22200,19 +22200,19 @@ Including the current working directory (.) or other writable directory in Locations that are not directories -Empty directories ( :: -) + Empty directories ( :: + ) -Trailing ( : -) + Trailing ( : + ) -Current working directory ( . -) + Current working directory ( . + ) -Non root - owned directories + Non root + owned directories -Directories that less restrictive than mode 0755 + Directories that less restrictive than mode 0755 @@ -22229,39 +22229,39 @@ Directories that less restrictive than mode Ensure root user umask is configured -The user file-creation mode mask ( umask -) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx -), and for any newly created file it is 0666 ( rw-rw-rw- -). The umask - modifies the default Linux permissions by restricting (masking) these permissions. The umask - is not simply subtracted, but is processed bitwise. Bits set in the umask - are cleared in the resulting file mode. + The user file-creation mode mask ( umask + ) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx + ), and for any newly created file it is 0666 ( rw-rw-rw- + ). The umask + modifies the default Linux permissions by restricting (masking) these permissions. The umask + is not simply subtracted, but is processed bitwise. Bits set in the umask + are cleared in the resulting file mode. umask - can be set with either Octal - or Symbolic - values: + can be set with either Octal + or Symbolic + values: Octal - (Numeric) Value - Represented by either three or four digits. ie umask 0027 - or umask 027 -. If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. + (Numeric) Value - Represented by either three or four digits. ie umask 0027 + or umask 027 + . If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. Symbolic - Value - Represented by a comma separated list for User u -, group g -, and world/other o -. The permissions listed are not masked by umask -. ie a umask - set by umask u=rwx,g=rx,o= - is the Symbolic - equivalent of the Octal + Value - Represented by a comma separated list for User u + , group g + , and world/other o + . The permissions listed are not masked by umask + . ie a umask + set by umask u=rwx,g=rx,o= + is the Symbolic + equivalent of the Octal umask 027 -. This umask - would set a newly created directory with file mode drwxr-x--- - and a newly created file with file mode rw-r----- -. + . This umask + would set a newly created directory with file mode drwxr-x--- + and a newly created file with file mode rw-r----- + . root user Shell Configuration Files: @@ -22269,18 +22269,18 @@ The user file-creation mode mask ( /root/.bash_profile - - Is executed to configure the root users' shell before the initial command prompt. Is only read by login shells. + - Is executed to configure the root users' shell before the initial command prompt. Is only read by login shells. /root/.bashrc - - Is executed for interactive shells. only read by a shell that's both interactive and non-login + - Is executed for interactive shells. only read by a shell that's both interactive and non-login umask - is set by order of precedence. If umask - is set in multiple locations, this order of precedence will determine the system's default umask -. + is set by order of precedence. If umask + is set in multiple locations, this order of precedence will determine the system's default umask + . Order of precedence: @@ -22314,9 +22314,9 @@ The user file-creation mode mask ( -Setting a secure value for umask - ensures that users make a conscious choice about their file permissions. A permissive umask - value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users. + Setting a secure value for umask + ensures that users make a conscious choice about their file permissions. A permissive umask + value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users. @@ -22325,11 +22325,11 @@ Setting a secure value for umask< -Edit /root/.bash_profile - and /root/.bashrc - and remove, comment out, or update any line with umask - to be 0027 - or more restrictive. + Edit /root/.bash_profile + and /root/.bashrc + and remove, comment out, or update any line with umask + to be 0027 + or more restrictive. @@ -22366,17 +22366,17 @@ Edit /root/.bash_profile -The root -, sync -, shutdown -, and halt - users are exempted from requiring a non-login shell. + The root + , sync + , shutdown + , and halt + users are exempted from requiring a non-login shell. -It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to the nologin - shell. This prevents the account from potentially being used to run any commands. + It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to the nologin + shell. This prevents the account from potentially being used to run any commands. @@ -22385,21 +22385,21 @@ It is important to make sure that accounts that are not being used by regular us -Run the following command to set the shell for any service accounts returned by the audit to nologin -: + Run the following command to set the shell for any service accounts returned by the audit to nologin + : # usermod -s $(command -v nologin) <user> - + Example script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
- awk -v pat="$l_valid_shells" -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534) && $(NF) ~ pat) {system ("usermod -s '"$(command -v nologin)"' " $1)}' /etc/passwd
-} - + {
+ l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
+ awk -v pat="$l_valid_shells" -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534) && $(NF) ~ pat) {system ("usermod -s '"$(command -v nologin)"' " $1)}' /etc/passwd
+ } + @@ -22435,8 +22435,8 @@ Run the following command to set the shell for any service accounts returned by -It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to the nologin - shell. This prevents the account from potentially being used to run any commands. + It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to the nologin + shell. This prevents the account from potentially being used to run any commands. @@ -22446,20 +22446,20 @@ It is important to make sure that accounts that are not being used by regular us Run the following command to lock any non-root accounts without a valid login shell returned by the audit: # usermod -L <user> - + Example script: -: + : -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
- while IFS= read -r l_user; do
- passwd -S "$l_user" | awk '$2 !~ /^L/ {system ("usermod -L " $1)}'
- done < <(awk -v pat="$l_valid_shells" -F: '($1 != "root" && $(NF) !~ pat) {print $1}' /etc/passwd)
-} - + {
+ l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
+ while IFS= read -r l_user; do
+ passwd -S "$l_user" | awk '$2 !~ /^L/ {system ("usermod -L " $1)}'
+ done < <(awk -v pat="$l_valid_shells" -F: '($1 != "root" && $(NF) !~ pat) {print $1}' /etc/passwd)
+ } + @@ -22479,25 +22479,25 @@ It is important to make sure that accounts that are not being used by regular us /etc/shells - is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh - and available to be queried by other programs. + is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh + and available to be queried by other programs. Be aware that there are programs which consult this file to find out if a user is a normal user; for example, FTP daemons traditionally disallow access to users with shells not included in this file. -A user can use chsh - to change their configured shell. + A user can use chsh + to change their configured shell. -If a user has a shell configured that isn't in in /etc/shells -, then the system assumes that they're somehow restricted. In the case of chsh - it means that the user cannot change that value. + If a user has a shell configured that isn't in in /etc/shells + , then the system assumes that they're somehow restricted. In the case of chsh + it means that the user cannot change that value. Other programs might query that list and apply similar restrictions. -By putting nologin - in /etc/shells -, any user that has nologin - as its shell is considered a full, unrestricted user. This is not the expected behavior for nologin -. + By putting nologin + in /etc/shells + , any user that has nologin + as its shell is considered a full, unrestricted user. This is not the expected behavior for nologin + . shells(5) NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 @@ -22505,8 +22505,8 @@ By putting nologin -Edit /etc/shells - and remove any lines that include nologin + Edit /etc/shells + and remove any lines that include nologin @@ -22522,13 +22522,13 @@ Edit /etc/shells TMOUT - is an environmental setting that determines the timeout of a shell in seconds. + is an environmental setting that determines the timeout of a shell in seconds. -TMOUT= n - - Sets the shell timeout to n - seconds. A setting of TMOUT=0 - disables timeout. + TMOUT= n + - Sets the shell timeout to n + seconds. A setting of TMOUT=0 + disables timeout. readonly TMOUT- Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time. export TMOUT - exports the TMOUT variable @@ -22538,29 +22538,29 @@ TMOUT= n /etc/profile - - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile -, however this file is used to set an initial PATH or PS1 for all shell users of the system. -is only executed for interactive login - shells, or shells executed with the --login parameter. + - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile + , however this file is used to set an initial PATH or PS1 for all shell users of the system. + is only executed for interactive login + shells, or shells executed with the --login parameter. /etc/profile.d - - /etc/profile - will execute the scripts within /etc/profile.d/*.sh -. It is recommended to place your configuration in a shell script within /etc/profile.d - to set your own system wide environmental variables. + - /etc/profile + will execute the scripts within /etc/profile.d/*.sh + . It is recommended to place your configuration in a shell script within /etc/profile.d + to set your own system wide environmental variables. /etc/bashrc - - System wide version of .bashrc -. In Fedora derived distributions, /etc/bashrc - also invokes /etc/profile.d/*.sh if non-login - shell, but redirects output to /dev/null - if non-interactive. + - System wide version of .bashrc + . In Fedora derived distributions, /etc/bashrc + also invokes /etc/profile.d/*.sh if non-login + shell, but redirects output to /dev/null + if non-interactive. -Is only executed for interactive - shells or if BASH_ENV - is set to /etc/bashrc -. + Is only executed for interactive + shells or if BASH_ENV + is set to /etc/bashrc + . @@ -22595,22 +22595,22 @@ Is only executed for interactive -Review /etc/bashrc -, /etc/profile -, and all files ending in *.sh - in the /etc/profile.d/ - directory and remove or edit all TMOUT=_n_ - entries to follow local site policy. TMOUT - should not exceed 900 or be equal to 0 -. + Review /etc/bashrc + , /etc/profile + , and all files ending in *.sh + in the /etc/profile.d/ + directory and remove or edit all TMOUT=_n_ + entries to follow local site policy. TMOUT + should not exceed 900 or be equal to 0 + . -Configure TMOUT - in one - of the following files: + Configure TMOUT + in one + of the following files: -A file in the /etc/profile.d/ - directory ending in .sh + A file in the /etc/profile.d/ + directory ending in .sh /etc/profile @@ -22621,33 +22621,33 @@ A file in the /etc/profile. -Example command to set TMOUT to 900 - seconds in a file in /etc/profile.d/ -: + Example command to set TMOUT to 900 + seconds in a file in /etc/profile.d/ + : # printf '%s\n' "# Set TMOUT to 900 seconds" "typeset -xr TMOUT=900" > /etc/profile.d/50-tmout.sh - + TMOUT - configuration examples: + configuration examples: typeset -xr TMOUT=900 - + Deprecated methods: As multiple lines: -TMOUT=900
-readonly TMOUT
-export TMOUT - + TMOUT=900
+ readonly TMOUT
+ export TMOUT + As a single line: readonly TMOUT=900 ; export TMOUT - + @@ -22663,76 +22663,76 @@ export TMOUT Ensure default user umask is configured -The user file-creation mode mask ( umask -) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx -), and for any newly created file it is 0666 ( rw-rw-rw- -). The umask - modifies the default Linux permissions by restricting (masking) these permissions. The umask - is not simply subtracted, but is processed bitwise. Bits set in the umask - are cleared in the resulting file mode. + The user file-creation mode mask ( umask + ) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx + ), and for any newly created file it is 0666 ( rw-rw-rw- + ). The umask + modifies the default Linux permissions by restricting (masking) these permissions. The umask + is not simply subtracted, but is processed bitwise. Bits set in the umask + are cleared in the resulting file mode. umask - can be set with either Octal - or Symbolic - values: + can be set with either Octal + or Symbolic + values: Octal - (Numeric) Value - Represented by either three or four digits. ie umask 0027 - or umask 027 -. If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. + (Numeric) Value - Represented by either three or four digits. ie umask 0027 + or umask 027 + . If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. Symbolic - Value - Represented by a comma separated list for User u -, group g -, and world/other o -. The permissions listed are not masked by umask -. ie a umask - set by umask u=rwx,g=rx,o= - is the Symbolic - equivalent of the Octal + Value - Represented by a comma separated list for User u + , group g + , and world/other o + . The permissions listed are not masked by umask + . ie a umask + set by umask u=rwx,g=rx,o= + is the Symbolic + equivalent of the Octal umask 027 -. This umask - would set a newly created directory with file mode drwxr-x--- - and a newly created file with file mode rw-r----- -. + . This umask + would set a newly created directory with file mode drwxr-x--- + and a newly created file with file mode rw-r----- + . -The default umask - can be set to use the pam_umask - module or in a System Wide Shell Configuration File -. The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask - by adding the umask - command into a User Shell Configuration File -, ( .bash_profile - or .bashrc -), in their home directory. + The default umask + can be set to use the pam_umask + module or in a System Wide Shell Configuration File + . The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask + by adding the umask + command into a User Shell Configuration File + , ( .bash_profile + or .bashrc + ), in their home directory. Setting the default umask: -pam_umask module: - + pam_umask module: + -will set the umask according to the system default in /etc/login.defs - and user settings, solving the problem of different umask - settings with different shells, display managers, remote sessions etc. + will set the umask according to the system default in /etc/login.defs + and user settings, solving the problem of different umask + settings with different shells, display managers, remote sessions etc. umask=<mask> - value in the /etc/login.defs - file is interpreted as Octal + value in the /etc/login.defs + file is interpreted as Octal -Setting USERGROUPS_ENAB - to yes in /etc/login.defs - (default): - + Setting USERGROUPS_ENAB + to yes in /etc/login.defs + (default): + -will enable setting of the umask - group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid - is the same as gid -, and username - is the same as the <primary group name> + will enable setting of the umask + group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid + is the same as gid + , and username + is the same as the <primary group name> userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user @@ -22741,33 +22741,33 @@ will enable setting of the System Wide Shell Configuration File -: - + : + /etc/profile - - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile -, however this file is used to set an initial PATH or PS1 for all shell users of the system. -is only executed for interactive login - shells, or shells executed with the --login parameter. + - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile + , however this file is used to set an initial PATH or PS1 for all shell users of the system. + is only executed for interactive login + shells, or shells executed with the --login parameter. /etc/profile.d - - /etc/profile - will execute the scripts within /etc/profile.d/*.sh -. It is recommended to place your configuration in a shell script within /etc/profile.d - to set your own system wide environmental variables. + - /etc/profile + will execute the scripts within /etc/profile.d/*.sh + . It is recommended to place your configuration in a shell script within /etc/profile.d + to set your own system wide environmental variables. /etc/bashrc - - System wide version of .bashrc -. In Fedora derived distributions, etc/bashrc - also invokes /etc/profile.d/*.sh if non-login - shell, but redirects output to /dev/null - if non-interactive. + - System wide version of .bashrc + . In Fedora derived distributions, etc/bashrc + also invokes /etc/profile.d/*.sh if non-login + shell, but redirects output to /dev/null + if non-interactive. -Is only executed for interactive - shells or if BASH_ENV - is set to /etc/bashrc -. + Is only executed for interactive + shells or if BASH_ENV + is set to /etc/bashrc + . @@ -22778,39 +22778,39 @@ Is only executed for interactive ~/.bash_profile - - Is executed to configure your shell before the initial command prompt. Is only read by login shells. + - Is executed to configure your shell before the initial command prompt. Is only read by login shells. ~/.bashrc - - Is executed for interactive shells. only read by a shell that's both interactive and non-login + - Is executed for interactive shells. only read by a shell that's both interactive and non-login umask - is set by order of precedence. If umask - is set in multiple locations, this order of precedence will determine the system's default umask -. + is set by order of precedence. If umask + is set in multiple locations, this order of precedence will determine the system's default umask + . Order of precedence: -A file in /etc/profile.d/ - ending in .sh - - This will override any other system-wide umask - setting + A file in /etc/profile.d/ + ending in .sh + - This will override any other system-wide umask + setting -In the file /etc/profile + In the file /etc/profile -On the pam_umask.so - module in /etc/pam.d/postlogin + On the pam_umask.so + module in /etc/pam.d/postlogin -In the file /etc/login.defs + In the file /etc/login.defs -In the file /etc/default/login + In the file /etc/default/login @@ -22837,8 +22837,8 @@ In the file /etc/default/login< If other methods are in use in your environment they should be audited The default user umask can be overridden with a user specific umask -The user creating the directories or files has the discretion of changing the permissions: - + The user creating the directories or files has the discretion of changing the permissions: + Using the chmod command Setting a different default umask by adding the umask command into a User Shell Configuration File, (.bashrc), in their home directory Manually changing the umask for the duration of a login session by running the umask command @@ -22849,9 +22849,9 @@ The user creating the directories or files has the discretion of changing the pe -Setting a secure default value for umask - ensures that users make a conscious choice about their file permissions. A permissive umask - value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users. + Setting a secure default value for umask + ensures that users make a conscious choice about their file permissions. A permissive umask + value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users. @@ -22860,55 +22860,55 @@ Setting a secure default value for 027 - or more restrictive: + Run the following script and perform the instructions in the output to set the default umask to 027 + or more restrictive: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_output="" l_output2="" l_out=""
- file_umask_chk()
- {
- if grep -Psiq -- '^\h*umask\h+(0?[0-7][2-7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(\h*#.*)?$' "$l_file"; then
- l_out="$l_out\n - umask is set correctly in \"$l_file\""
- elif grep -Psiq -- '^\h*umask\h+(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b|[0-7][0-7][0-6]\b)|(u=[rwx]{1,3},)?(((g=[rx]?[rx]?w[rx]?[rx]?\b)(,o=[rwx]{1,3})?)|((g=[wrx]{1,3},)?o=[wrx]{1,3}\b)))' "$l_file"; then
- l_output2="$l_output2\n - \"$l_file\""
- fi
- }
- while IFS= read -r -d $'\0' l_file; do
- file_umask_chk
- done < <(find /etc/profile.d/ -type f -name '*.sh' -print0)
- [ -n "$l_out" ] && l_output="$l_out"
- l_file="/etc/profile" && file_umask_chk
- l_file="/etc/bashrc" && file_umask_chk
- l_file="/etc/bash.bashrc" && file_umask_chk
- l_file="/etc/pam.d/postlogin"
- if grep -Psiq '^\h*session\h+[^#\n\r]+\h+pam_umask\.so\h+([^#\n\r]+\h+)?umask=(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b))' "$l_file"; then
- l_output2="$l_output2\n - \"$l_file\""
- fi
- l_file="/etc/login.defs" && file_umask_chk
- l_file="/etc/default/login" && file_umask_chk
- if [ -z "$l_output2" ]; then
- echo -e " - No files contain a UMASK that is not restrictive enough\n No UMASK updates required to existing files"
- else
- echo -e "\n - UMASK is not restrictive enough in the following file(s):$l_output2\n\n- Remediation Procedure:\n - Update these files and comment out the UMASK line\n or update umask to be \"0027\" or more restrictive"
- fi
- if [ -n "$l_output" ]; then
- echo -e "$l_output"
- else
- echo -e " - Configure UMASK in a file in the \"/etc/profile.d/\" directory ending in \".sh\"\n\n Example Command (Hash to represent being run at a root prompt):\n\n# printf '%s\\\n' \"umask 027\" > /etc/profile.d/50-systemwide_umask.sh\n"
- fi
-} - + {
+ l_output="" l_output2="" l_out=""
+ file_umask_chk()
+ {
+ if grep -Psiq -- '^\h*umask\h+(0?[0-7][2-7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(\h*#.*)?$' "$l_file"; then
+ l_out="$l_out\n - umask is set correctly in \"$l_file\""
+ elif grep -Psiq -- '^\h*umask\h+(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b|[0-7][0-7][0-6]\b)|(u=[rwx]{1,3},)?(((g=[rx]?[rx]?w[rx]?[rx]?\b)(,o=[rwx]{1,3})?)|((g=[wrx]{1,3},)?o=[wrx]{1,3}\b)))' "$l_file"; then
+ l_output2="$l_output2\n - \"$l_file\""
+ fi
+ }
+ while IFS= read -r -d $'\0' l_file; do
+ file_umask_chk
+ done < <(find /etc/profile.d/ -type f -name '*.sh' -print0)
+ [ -n "$l_out" ] && l_output="$l_out"
+ l_file="/etc/profile" && file_umask_chk
+ l_file="/etc/bashrc" && file_umask_chk
+ l_file="/etc/bash.bashrc" && file_umask_chk
+ l_file="/etc/pam.d/postlogin"
+ if grep -Psiq '^\h*session\h+[^#\n\r]+\h+pam_umask\.so\h+([^#\n\r]+\h+)?umask=(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b))' "$l_file"; then
+ l_output2="$l_output2\n - \"$l_file\""
+ fi
+ l_file="/etc/login.defs" && file_umask_chk
+ l_file="/etc/default/login" && file_umask_chk
+ if [ -z "$l_output2" ]; then
+ echo -e " - No files contain a UMASK that is not restrictive enough\n No UMASK updates required to existing files"
+ else
+ echo -e "\n - UMASK is not restrictive enough in the following file(s):$l_output2\n\n- Remediation Procedure:\n - Update these files and comment out the UMASK line\n or update umask to be \"0027\" or more restrictive"
+ fi
+ if [ -n "$l_output" ]; then
+ echo -e "$l_output"
+ else
+ echo -e " - Configure UMASK in a file in the \"/etc/profile.d/\" directory ending in \".sh\"\n\n Example Command (Hash to represent being run at a root prompt):\n\n# printf '%s\\\n' \"umask 027\" > /etc/profile.d/50-systemwide_umask.sh\n"
+ fi
+ } + Notes: This method only applies to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked -If the pam_umask.so - module is going to be used to set umask -, ensure that it's not being overridden by another setting. Refer to the PAM_UMASK(8) man page for more information + If the pam_umask.so + module is going to be used to set umask + , ensure that it's not being overridden by another setting. Refer to the PAM_UMASK(8) man page for more information @@ -22928,23 +22928,23 @@ If the pam_umask.so The items in this section describe how to configure logging, log monitoring, and auditing, using tools included in most distributions. -It is recommended that rsyslog -be used for logging (with logwatch -providing summarization) and auditd - be used for auditing (with aureport -providing summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior. + It is recommended that rsyslog + be used for logging (with logwatch + providing summarization) and auditd + be used for auditing (with aureport + providing summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior. In addition to the local log files created by the steps in this section, it is also recommended that sites collect copies of their system logs on a secure, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs described in this section. -Because it is often necessary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. Reference < http://chrony.tuxfamily.org/ -> manual page for more information on configuring chrony. + Because it is often necessary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. Reference < http://chrony.tuxfamily.org/ + > manual page for more information on configuring chrony. It is important that all logs described in this section be monitored on a regular basis and correlated to determine trends. A seemingly innocuous entry in one log could be more significant when compared to an entry in another log. Note on log file permissions: - There really isn't a "one size fits all" solution to the permissions on log files. Many sites utilize group permissions so that administrators who are in a defined security group, such as "wheel" do not have to elevate privileges to root in order to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do not have a secured group method implemented that only permits root to read the log files ( root:root 600 -). The other is for sites that do have such a setup and are designated as root:securegrp 640 -where securegrp - is the defined security group (in some cases wheel -). + There really isn't a "one size fits all" solution to the permissions on log files. Many sites utilize group permissions so that administrators who are in a defined security group, such as "wheel" do not have to elevate privileges to root in order to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do not have a secured group method implemented that only permits root to read the log files ( root:root 600 + ). The other is for sites that do have such a setup and are designated as root:securegrp 640 + where securegrp + is the defined security group (in some cases wheel + ). Configure Integrity Checking @@ -22957,7 +22957,7 @@ where securegrp Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. aide - takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. + takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. @@ -22978,10 +22978,10 @@ where securegrp -The prelinking feature can interfere with aide - because it alters binaries to speed up their start up times. Run prelink -ua - to restore the binaries to their prelinked state, thus avoiding false positives from aide -. + The prelinking feature can interfere with aide + because it alters binaries to speed up their start up times. Run prelink -ua + to restore the binaries to their prelinked state, thus avoiding false positives from aide + . @@ -22995,22 +22995,22 @@ The prelinking feature can interfere with aide -: + Run the following command to install aide + : # dnf install aide - + -Configure aide - as appropriate for your environment. Consult the aide - documentation for options. + Configure aide + as appropriate for your environment. Consult the aide + documentation for options. -Initialize aide -: + Initialize aide + : Run the following commands: # aide --init - + # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - + @@ -23060,59 +23060,59 @@ Initialize aide - IF - cron - will be used to schedule and run aide check + will be used to schedule and run aide check Run the following command: # crontab -u root -e - + Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check - + - OR - - IF - aidecheck.service - and aidecheck.timer - will be used to schedule and run aide check: + and aidecheck.timer + will be used to schedule and run aide check: -Create or edit the file /etc/systemd/system/aidecheck.service - and add the following lines: + Create or edit the file /etc/systemd/system/aidecheck.service + and add the following lines: -[Unit]
-Description=Aide Check
+ [Unit]
+ Description=Aide Check

-[Service]
-Type=simple
-ExecStart=/usr/sbin/aide --check
+ [Service]
+ Type=simple
+ ExecStart=/usr/sbin/aide --check

-[Install]
-WantedBy=multi-user.target - + [Install]
+ WantedBy=multi-user.target + -Create or edit the file /etc/systemd/system/aidecheck.timer - and add the following lines: + Create or edit the file /etc/systemd/system/aidecheck.timer + and add the following lines: -[Unit]
-Description=Aide check every day at 5AM
+ [Unit]
+ Description=Aide check every day at 5AM

-[Timer]
-OnCalendar=*-*-* 05:00:00
-Unit=aidecheck.service
+ [Timer]
+ OnCalendar=*-*-* 05:00:00
+ Unit=aidecheck.service

-[Install]
-WantedBy=multi-user.target - + [Install]
+ WantedBy=multi-user.target + Run the following commands: -# chown root:root /etc/systemd/system/aidecheck.*
-# chmod 0644 /etc/systemd/system/aidecheck.*
+ # chown root:root /etc/systemd/system/aidecheck.*
+ # chmod 0644 /etc/systemd/system/aidecheck.*

-# systemctl daemon-reload
+ # systemctl daemon-reload

-# systemctl enable aidecheck.service
-# systemctl --now enable aidecheck.timer - + # systemctl enable aidecheck.service
+ # systemctl --now enable aidecheck.timer + @@ -23194,58 +23194,58 @@ WantedBy=multi-user.target Run the following command to determine the absolute path to the non-symlinked version on the audit tools: # readlink -f /sbin - + -The output will be either /usr/sbin + The output will be either /usr/sbin - OR - /sbin -. Ensure the correct path is used. + . Ensure the correct path is used. -Edit /etc/aide.conf - and add or update the following selection lines replacing <PATH> - with the correct path returned in the command above: + Edit /etc/aide.conf + and add or update the following selection lines replacing <PATH> + with the correct path returned in the command above: -# Audit Tools
-<PATH>/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
-<PATH>/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
-<PATH>/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
-<PATH>/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
-<PATH>/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
-<PATH>/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - + # Audit Tools
+ <PATH>/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
+ <PATH>/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
+ <PATH>/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
+ <PATH>/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
+ <PATH>/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
+ <PATH>/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + Example -# printf '\n%s' "# Audit Tools" "$(readlink -f /sbin/auditctl) p+i+n+u+g+s+b+acl+xattrs+sha512" \
-"$(readlink -f /sbin/auditd) p+i+n+u+g+s+b+acl+xattrs+sha512" \
-"$(readlink -f /sbin/ausearch) p+i+n+u+g+s+b+acl+xattrs+sha512" \
-"$(readlink -f /sbin/aureport) p+i+n+u+g+s+b+acl+xattrs+sha512" \
-"$(readlink -f /sbin/autrace) p+i+n+u+g+s+b+acl+xattrs+sha512" \
-"$(readlink -f /sbin/augenrules) p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf - + # printf '\n%s' "# Audit Tools" "$(readlink -f /sbin/auditctl) p+i+n+u+g+s+b+acl+xattrs+sha512" \
+ "$(readlink -f /sbin/auditd) p+i+n+u+g+s+b+acl+xattrs+sha512" \
+ "$(readlink -f /sbin/ausearch) p+i+n+u+g+s+b+acl+xattrs+sha512" \
+ "$(readlink -f /sbin/aureport) p+i+n+u+g+s+b+acl+xattrs+sha512" \
+ "$(readlink -f /sbin/autrace) p+i+n+u+g+s+b+acl+xattrs+sha512" \
+ "$(readlink -f /sbin/augenrules) p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf + Note: - IF - /etc/aide.conf - includes a @@x_include - statement: + includes a @@x_include + statement: Example: @@x_include /etc/aide.conf.d ^[a-zA-Z0-9_-]+$ - + @@x_include - FILE + FILE @@x_include - DIRECTORY REGEX - + DIRECTORY REGEX + @x_include - is identical to @@include -, except that if a config file is executable it is run and the output is used as config. + is identical to @@include + , except that if a config file is executable it is run and the output is used as config. If the executable file exits with status greater than zero or writes to stderr aide stops with an error. For security reasons DIRECTORY and each executable config file must be owned by the current user and must not be group or world-writable. @@ -23280,7 +23280,7 @@ Edit /etc/aide.confWhat is covered -This section will cover the minimum best practices for the usage of + This section will cover the minimum best practices for the usage of either rsyslog @@ -23288,33 +23288,33 @@ This section will cover the minimum best practices for the usage of or journald -. The recommendations are written such that each is wholly independent of each other and + . The recommendations are written such that each is wholly independent of each other and only one is implemented -. + . -If your organization makes use of an enterprise wide logging system completely outside of rsyslog - or journald -, then the following recommendations do not directly apply. However, the principals of the recommendations should be followed regardless of what solution is implemented. If the enterprise solution incorporates either of these tools, careful consideration should be given to the following recommendations to determine exactly what applies. + If your organization makes use of an enterprise wide logging system completely outside of rsyslog + or journald + , then the following recommendations do not directly apply. However, the principals of the recommendations should be followed regardless of what solution is implemented. If the enterprise solution incorporates either of these tools, careful consideration should be given to the following recommendations to determine exactly what applies. -Should your organization make use of both rsyslog - and journald -, take care how the recommendations may or may not apply to you. + Should your organization make use of both rsyslog + and journald + , take care how the recommendations may or may not apply to you. What is not covered -Enterprise logging systems not utilizing rsyslog - or journald -. -As logging is very situational and dependent on the local environment, not everything can be covered here. + Enterprise logging systems not utilizing rsyslog + or journald + . + As logging is very situational and dependent on the local environment, not everything can be covered here. -Transport layer security should be applied to all remote logging functionality. Both rsyslog - and journald - supports secure transport and should be configured as such. + Transport layer security should be applied to all remote logging functionality. Both rsyslog + and journald + supports secure transport and should be configured as such. The log server. There are a multitude of reasons for a centralized log server (and keeping a short period of logging on the local system), but the log server is out of scope for these recommendations. @@ -23323,7 +23323,7 @@ Transport layer security should be applied to all remote logging functionality. systemd-journald - is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources: + is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources: Kernel log messages, via kmsg Simple system log messages, via the libc syslog call @@ -23333,31 +23333,31 @@ Transport layer security should be applied to all remote logging functionality. The daemon will implicitly collect numerous metadata fields for each log messages in a secure and unfakeable way. See systemd.journal-fields man page for more information about the collected metadata. -The journal service stores log data either persistently below /var/log/journal - or in a volatile way below /run/log/journal/ -. By default, log data is stored persistently if /var/log/journal/ - exists during boot, with an implicit fallback to volatile storage. Use Storage= - in journald.conf - to configure where log data is placed, independently of the existence of /var/log/journal/ -. + The journal service stores log data either persistently below /var/log/journal + or in a volatile way below /run/log/journal/ + . By default, log data is stored persistently if /var/log/journal/ + exists during boot, with an implicit fallback to volatile storage. Use Storage= + in journald.conf + to configure where log data is placed, independently of the existence of /var/log/journal/ + . -On systems where /var/log/journal/ - does not exist but where persistent logging is desired, and the default journald.conf - is used, it is sufficient to create the directory and ensure it has the correct access modes and ownership. + On systems where /var/log/journal/ + does not exist but where persistent logging is desired, and the default journald.conf + is used, it is sufficient to create the directory and ensure it has the correct access modes and ownership. Note: systemd-journald.service - must be configured appropriately for either journald + must be configured appropriately for either journald - OR - rsyslog - to operate effectively. + to operate effectively. Ensure journald service is enabled and active -Ensure that the systemd-journald - service is enabled to allow capturing of logging events. + Ensure that the systemd-journald + service is enabled to allow capturing of logging events. @@ -23384,8 +23384,8 @@ Ensure that the systemd-journald< -If the systemd-journald - service is not enabled to start on boot, the system will not capture logging events. + If the systemd-journald + service is not enabled to start on boot, the system will not capture logging events. @@ -23395,12 +23395,12 @@ If the systemd-journald -Run the following commands to unmask and start systemd-journald.service + Run the following commands to unmask and start systemd-journald.service -# systemctl unmask systemd-journald.service
-# systemctl start systemd-journald.service - + # systemctl unmask systemd-journald.service
+ # systemctl start systemd-journald.service + @@ -23439,9 +23439,9 @@ Run the following commands to unmask and start -See man 5 tmpfiles.d - for detailed information on the permission sets for the relevant log files. -Further information with examples can be found at https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html + See man 5 tmpfiles.d + for detailed information on the permission sets for the relevant log files. + Further information with examples can be found at https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html @@ -23455,10 +23455,10 @@ Further information with examples can be found at -If the default configuration is not appropriate for the site specific requirements, copy /usr/lib/tmpfiles.d/systemd.conf - to /etc/tmpfiles.d/systemd.conf - and modify as required. Requirements is either 0640 - or site policy if that is less restrictive. + If the default configuration is not appropriate for the site specific requirements, copy /usr/lib/tmpfiles.d/systemd.conf + to /etc/tmpfiles.d/systemd.conf + and modify as required. Requirements is either 0640 + or site policy if that is less restrictive. @@ -23467,8 +23467,8 @@ If the default configuration is not appropriate for the site specific requiremen Ensure journald log file rotation is configured -Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf - is the configuration file used to specify how logs generated by Journald should be rotated. + Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf + is the configuration file used to specify how logs generated by Journald should be rotated. @@ -23494,8 +23494,8 @@ Journald includes the capability of rotating log files regularly to avoid fillin -See man 5 journald.conf - for detailed information regarding the parameters in use. + See man 5 journald.conf + for detailed information regarding the parameters in use. @@ -23510,25 +23510,25 @@ See man 5 journald.conf -Edit /etc/systemd/journald.conf - or a file ending in .conf - the /etc/systemd/journald.conf.d/ - directory. Set the following parameters in the [Journal] - section to ensure logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritization of parameters. + Edit /etc/systemd/journald.conf + or a file ending in .conf + the /etc/systemd/journald.conf.d/ + directory. Set the following parameters in the [Journal] + section to ensure logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritization of parameters. Example Configuration -[Journal]
-SystemMaxUse=1G
-SystemKeepFree=500M
-RuntimeMaxUse=200M
-RuntimeKeepFree=50M
-MaxFileSec=1month - + [Journal]
+ SystemMaxUse=1G
+ SystemKeepFree=500M
+ RuntimeMaxUse=200M
+ RuntimeKeepFree=50M
+ MaxFileSec=1month + Note: - If these settings appear in a canonically later file, or later in the same file, the setting will be overwritten + If these settings appear in a canonically later file, or later in the same file, the setting will be overwritten @@ -23537,36 +23537,36 @@ MaxFileSec=1month Ensure only one logging system is in use -Best practices recommend that a single centralized logging system be used for log management, choose a single service either rsyslog + Best practices recommend that a single centralized logging system be used for log management, choose a single service either rsyslog - OR - journald - to be used as a single centralized logging system. + to be used as a single centralized logging system. -Configuring only one logging service either rsyslog + Configuring only one logging service either rsyslog - OR - journald - avoids redundancy, optimizes resources, simplifies configuration and management, and ensures consistency. + avoids redundancy, optimizes resources, simplifies configuration and management, and ensures consistency. -Determine whether to use journald + Determine whether to use journald - OR - rsyslog - depending on site needs + depending on site needs -Configure systemd-jounald.service + Configure systemd-jounald.service -Configure only ONE - either journald + Configure only ONE + either journald - OR - rsyslog - and complete the recommendations in that subsection + and complete the recommendations in that subsection Return to this recommendation to ensure only one logging system is in use Impact: @@ -23589,49 +23589,49 @@ Configure only ONE Included in the systemd suite is a journaling service called systemd-journald.service for the collection and storage of logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources such as: Classic RFC3164 BSD syslog via the /dev/log socket -STDOUT/STDERR of programs via StandardOutput=journal + StandardError=journal in service files (both of which are default settings) -Kernel log messages via the /dev/kmsg device node -Audit records via the kernel’s audit subsystem -Structured log messages via journald’s native protocol -Any changes made to the systemd-journald configuration will require a re-start of systemd-journald + STDOUT/STDERR of programs via StandardOutput=journal + StandardError=journal in service files (both of which are default settings) + Kernel log messages via the /dev/kmsg device node + Audit records via the kernel’s audit subsystem + Structured log messages via journald’s native protocol + Any changes made to the systemd-journald configuration will require a re-start of systemd-journald Note: - IF - rsyslog - will be used for remote logging on the system this subsection can be skipped + will be used for remote logging on the system this subsection can be skipped Configure systemd-journal-remote -The systemd-journal-remote - package includes systemd-journal-upload -. + The systemd-journal-remote + package includes systemd-journal-upload + . systemd-journal-upload - will upload journal entries to the URL specified with --url=. This program reads journal entries from one or more journal files, similarly to journalctl. + will upload journal entries to the URL specified with --url=. This program reads journal entries from one or more journal files, similarly to journalctl. systemd-journal-upload - transfers the raw content of journal file and uses HTTP as a transport protocol. + transfers the raw content of journal file and uses HTTP as a transport protocol. systemd-journal-upload.service - is a system service that uses systemd-journal-upload - to upload journal entries to a server. It uses the configuration in journal-upload.conf -. + is a system service that uses systemd-journal-upload + to upload journal entries to a server. It uses the configuration in journal-upload.conf + . Note: - IF - rsyslog - is in use this subsection can be skipped. + is in use this subsection can be skipped. Ensure systemd-journal-remote is installed -Journald systemd-journal-remote - supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. + Journald systemd-journal-remote + supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. @@ -23660,11 +23660,11 @@ Journald systemd-journal-remote Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. Note: - This recommendation -only applies if journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -23674,10 +23674,10 @@ only applies if journald -Run the following command to install systemd-journal-remote -: + Run the following command to install systemd-journal-remote + : # dnf install systemd-journal-remote - + @@ -23706,8 +23706,8 @@ Run the following command to install Ensure systemd-journal-upload authentication is configured -Journald systemd-journal-upload - supports the ability to send log events it gathers to a remote log host. + Journald systemd-journal-upload + supports the ability to send log events it gathers to a remote log host. @@ -23736,11 +23736,11 @@ Journald systemd-journal-upload Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. Note: - This recommendation -only applies if journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -23750,21 +23750,21 @@ only applies if journald -Edit the /etc/systemd/journal-upload.conf - file or a file in /etc/systemd/journal-upload.conf.d - ending in .conf - and ensure the following lines are set in the [Upload] - section per your environment: + Edit the /etc/systemd/journal-upload.conf + file or a file in /etc/systemd/journal-upload.conf.d + ending in .conf + and ensure the following lines are set in the [Upload] + section per your environment: -[Upload]
-URL=192.168.50.42
-ServerKeyFile=/etc/ssl/private/journal-upload.pem
-ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
-TrustedCertificateFile=/etc/ssl/ca/trusted.pem - + [Upload]
+ URL=192.168.50.42
+ ServerKeyFile=/etc/ssl/private/journal-upload.pem
+ ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
+ TrustedCertificateFile=/etc/ssl/ca/trusted.pem + Restart the service: # systemctl restart systemd-journal-upload - + @@ -23773,8 +23773,8 @@ TrustedCertificateFile=/etc/ssl/ca/trusted.pem Ensure systemd-journal-upload is enabled and active -Journald systemd-journal-upload - supports the ability to send log events it gathers to a remote log host. + Journald systemd-journal-upload + supports the ability to send log events it gathers to a remote log host. @@ -23803,11 +23803,11 @@ Journald systemd-journal-upload Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. Note: - This recommendation -only applies if journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -23817,12 +23817,12 @@ only applies if journald -Run the following commands to unmask, enable and start systemd-journal-upload -: + Run the following commands to unmask, enable and start systemd-journal-upload + : -# systemctl unmask systemd-journal-upload.service
-# systemctl --now enable systemd-journal-upload.service - + # systemctl unmask systemd-journal-upload.service
+ # systemctl --now enable systemd-journal-upload.service + @@ -23853,19 +23853,19 @@ Run the following commands to unmask, enable and start Ensure systemd-journal-remote service is not in use -Journald systemd-journal-remote - supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. + Journald systemd-journal-remote + supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. Note: -The same package, systemd-journal-remote -, is used for both sending logs to remote hosts and receiving incoming logs. + The same package, systemd-journal-remote + , is used for both sending logs to remote hosts and receiving incoming logs. -With regards to receiving logs, there are two services; systemd-journal-remote.socket - and systemd-journal-remote.service -. + With regards to receiving logs, there are two services; systemd-journal-remote.socket + and systemd-journal-remote.service + . @@ -23890,11 +23890,11 @@ With regards to receiving logs, there are two services; If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. Note: - This recommendation -only applies if journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -23903,12 +23903,12 @@ only applies if journald -Run the following commands to stop and mask systemd-journal-remote.socket - and systemd-journal-remote.service: + Run the following commands to stop and mask systemd-journal-remote.socket + and systemd-journal-remote.service: -# systemctl stop systemd-journal-remote.socket systemd-journal-remote.service
-# systemctl mask systemd-journal-remote.socket systemd-journal-remote.service - + # systemctl stop systemd-journal-remote.socket systemd-journal-remote.service
+ # systemctl mask systemd-journal-remote.socket systemd-journal-remote.service + @@ -23952,8 +23952,8 @@ Run the following commands to stop and mask Ensure journald ForwardToSyslog is disabled -Data from journald - should be kept in the confines of the service and not forwarded to other services. + Data from journald + should be kept in the confines of the service and not forwarded to other services. @@ -23977,15 +23977,15 @@ Data from journald - IF - journald - is the method for capturing logs, all logs of the system should be handled by journald - and not forwarded to other logging mechanisms. + is the method for capturing logs, all logs of the system should be handled by journald + and not forwarded to other logging mechanisms. Note: - This recommendation -only applies if journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -23996,39 +23996,39 @@ only applies if journald - IF - rsyslog - is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure rsyslog" section followed. + is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure rsyslog" section followed. - IF - journald - is the preferred method for capturing logs: + is the preferred method for capturing logs: -Set the following parameter in the [Journal] - section in /etc/systemd/journald.conf - or a file in /etc/systemd/journald.conf.d/ ending in .conf -: + Set the following parameter in the [Journal] + section in /etc/systemd/journald.conf + or a file in /etc/systemd/journald.conf.d/ ending in .conf + : ForwardToSyslog=no - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
- if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
- printf '%s\n' "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
- else
- printf '%s\n' "[Journal]" "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
+ if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
+ printf '%s\n' "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
+ else
+ printf '%s\n' "[Journal]" "ForwardToSyslog=no" >> /etc/systemd/journald.conf.d/60-journald.conf
+ fi
+ } + Note: - If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten + If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten Run to following command to update the parameters in the service: # systemctl reload-or-restart systemd-journald - + @@ -24092,11 +24092,11 @@ Set the following parameter in the journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -24108,34 +24108,34 @@ only applies if journald -Set the following parameter in the [Journal] - section in /etc/systemd/journald.conf - or a file in /etc/systemd/journald.conf.d/ - ending in .conf -: + Set the following parameter in the [Journal] + section in /etc/systemd/journald.conf + or a file in /etc/systemd/journald.conf.d/ + ending in .conf + : Compress=yes - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
- if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
- printf '%s\n' "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
- else
- printf '%s\n' "[Journal]" "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
+ if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
+ printf '%s\n' "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
+ else
+ printf '%s\n' "[Journal]" "Compress=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
+ fi
+ } + Note: - If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten + If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten Run to following command to update the parameters in the service: # systemctl reload-or-restart systemd-journald - + @@ -24189,11 +24189,11 @@ Set the following parameter in the journald - is the chosen method for client side logging -. Do not apply this recommendation if rsyslog - is used. + This recommendation + only applies if journald + is the chosen method for client side logging + . Do not apply this recommendation if rsyslog + is used. @@ -24203,34 +24203,34 @@ only applies if journald -Set the following parameter in the [Journal] - section in /etc/systemd/journald.conf - or a file in /etc/systemd/journald.conf.d/ - ending in .conf -: + Set the following parameter in the [Journal] + section in /etc/systemd/journald.conf + or a file in /etc/systemd/journald.conf.d/ + ending in .conf + : Storage=persistent - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
- if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
- printf '%s\n' "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
- else
- printf '%s\n' "[Journal]" "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
+ if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
+ printf '%s\n' "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
+ else
+ printf '%s\n' "[Journal]" "Storage=persistent" >> /etc/systemd/journald.conf.d/60-journald.conf
+ fi
+ } + Note: - If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten + If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten Run to following command to update the parameters in the service: # systemctl reload-or-restart systemd-journald - + @@ -24257,34 +24257,34 @@ Set the following parameter in the Configure rsyslog -The rsyslog - software package may be used instead of the default journald - logging mechanism. + The rsyslog + software package may be used instead of the default journald + logging mechanism. Rsyslog has evolved over several decades. For this reason it supports three different configuration formats (“languages”): basic - - previously known as the sysklogd - format, this is the format best used to express basic things, such as where the statement fits on a single line. - + - previously known as the sysklogd + format, this is the format best used to express basic things, such as where the statement fits on a single line. + It stems back to the original syslog.conf format, in use now for several decades. The most common use case is matching on facility/severity and writing matching messages to a log file. advanced - - previously known as the RainerScript - format, this format was first available in rsyslog v6 and is the current, best and most precise format for non-trivial use cases where more than one line is needed. - + - previously known as the RainerScript + format, this format was first available in rsyslog v6 and is the current, best and most precise format for non-trivial use cases where more than one line is needed. + Prior to v7, there was a performance impact when using this format that encouraged use of the basic format for best results. Current versions of rsyslog do not suffer from this (historical) performance impact. This new style format is specifically targeted towards more advanced use cases like forwarding to remote hosts that might be partially offline. obsolete legacy - - previously known simply as the legacy - format, this format is exactly what its name implies: it is obsolete and should not be used when writing new configurations. It was created in the early days (up to rsyslog version 5) where we expected that rsyslog would extend sysklogd just mildly. Consequently, it was primarily aimed at small additions to the original sysklogd format. - + - previously known simply as the legacy + format, this format is exactly what its name implies: it is obsolete and should not be used when writing new configurations. It was created in the early days (up to rsyslog version 5) where we expected that rsyslog would extend sysklogd just mildly. Consequently, it was primarily aimed at small additions to the original sysklogd format. + Practice has shown that it was notoriously hard to use for more advanced use cases, and thus we replaced it with the advanced format. In essence, everything that needs to be written on a single line that starts with a dollar sign is legacy format. Users of this format are encouraged to migrate to the basic or advanced formats. @@ -24292,17 +24292,17 @@ The rsyslog Note: - This section only applies if rsyslog - is the chosen method for client side logging. Do not apply this section if journald - is used. + This section only applies if rsyslog + is the chosen method for client side logging. Do not apply this section if journald + is used. Ensure rsyslog is installed -The rsyslog - software is recommended in environments where journald - does not meet operation requirements. + The rsyslog + software is recommended in environments where journald + does not meet operation requirements. @@ -24329,13 +24329,13 @@ The rsyslog -The security enhancements of rsyslog - such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package. + The security enhancements of rsyslog + such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package. Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if journald + is used. @@ -24345,10 +24345,10 @@ The security enhancements of rsys -Run the following command to install rsyslog -: + Run the following command to install rsyslog + : # dnf install rsyslog - + @@ -24367,8 +24367,8 @@ Run the following command to install Ensure rsyslog service is enabled and active -Once the rsyslog - package is installed, ensure that the service is enabled. + Once the rsyslog + package is installed, ensure that the service is enabled. @@ -24395,13 +24395,13 @@ Once the rsyslog -If the rsyslog - service is not enabled to start on boot, the system will not capture logging events. + If the rsyslog + service is not enabled to start on boot, the system will not capture logging events. Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if journald + is used. @@ -24413,15 +24413,15 @@ If the rsyslog - IF - rsyslog - is being used for logging on the system: + is being used for logging on the system: -Run the following commands to unmask, enable, and start rsyslog.service -: + Run the following commands to unmask, enable, and start rsyslog.service + : -# systemctl unmask rsyslog.service
-# systemctl enable rsyslog.service
-# systemctl start rsyslog.service - + # systemctl unmask rsyslog.service
+ # systemctl enable rsyslog.service
+ # systemctl start rsyslog.service + @@ -24447,10 +24447,10 @@ Run the following commands to unmask, enable, and start Ensure journald is configured to send logs to rsyslog -Data from systemd-journald - may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald - logs, however, use of the rsyslog - service provides a consistent means of log collection and export. + Data from systemd-journald + may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald + logs, however, use of the rsyslog + service provides a consistent means of log collection and export. @@ -24486,21 +24486,21 @@ Data from systemd-journald -As noted in the systemd-journald - man pages, systemd-journald - logs may be exported to rsyslog - either through the process mentioned here, or through a facility like systemd-journald.service -. There are trade-offs involved in each implementation, where ForwardToSyslog - will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service -, on the other hand, will record bootup events, but may delay sending the information to rsyslog -, leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system. + As noted in the systemd-journald + man pages, systemd-journald + logs may be exported to rsyslog + either through the process mentioned here, or through a facility like systemd-journald.service + . There are trade-offs involved in each implementation, where ForwardToSyslog + will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service + , on the other hand, will record bootup events, but may delay sending the information to rsyslog + , leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system. - IF - rsyslog - is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. + is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. @@ -24516,45 +24516,45 @@ As noted in the systemd-journal - IF - rsyslog - is the preferred method for capturing logs: + is the preferred method for capturing logs: -Set the following parameter in the [Journal] - section in /etc/systemd/journald.conf - or a file in /etc/systemd/journald.conf.d/ - ending in .conf -: + Set the following parameter in the [Journal] + section in /etc/systemd/journald.conf + or a file in /etc/systemd/journald.conf.d/ + ending in .conf + : ForwardToSyslog=yes - + Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
- if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
- printf '%s\n' "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
- else
- printf '%s\n' "[Journal]" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
- fi
-} - + {
+ [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
+ if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
+ printf '%s\n' "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
+ else
+ printf '%s\n' "[Journal]" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
+ fi
+ } + Note: - If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten + If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten Run to following command to update the parameters in the service: -Restart systemd-journald.service -: + Restart systemd-journald.service + : # systemctl reload-or-restart systemd-journald.service - + Impact: - IF - Journald - is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure Journald" section followed. + is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure Journald" section followed. @@ -24575,15 +24575,15 @@ Restart systemd-journald.serv rsyslog - will create logfiles that do not already exist on the system. + will create logfiles that do not already exist on the system. -The $FileCreateMode - parameter allows you to specify the creation mode with which rsyslog - creates new files. If not specified, the value 0644 is used (which retains backward-compatibility with earlier releases). The value given must always be a 4-digit octal number, with the initial digit being zero. + The $FileCreateMode + parameter allows you to specify the creation mode with which rsyslog + creates new files. If not specified, the value 0644 is used (which retains backward-compatibility with earlier releases). The value given must always be a 4-digit octal number, with the initial digit being zero. Please note that the actual permission depend on rsyslogd’s process umask. $FileCreateMode - may be specified multiple times. If so, it specifies the creation mode for all selector lines that follow until the next $FileCreateMode parameter. Order of lines is vitally important. + may be specified multiple times. If so, it specifies the creation mode for all selector lines that follow until the next $FileCreateMode parameter. Order of lines is vitally important. @@ -24622,9 +24622,9 @@ The $FileCreateMode It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if systemd-journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if systemd-journald + is used. @@ -24639,17 +24639,17 @@ The $FileCreateMode -Edit either /etc/rsyslog.conf - or a dedicated .conf - file in /etc/rsyslog.d/ - and set $FileCreateMode - to 0640 - or more restrictive: + Edit either /etc/rsyslog.conf + or a dedicated .conf + file in /etc/rsyslog.d/ + and set $FileCreateMode + to 0640 + or more restrictive: $FileCreateMode 0640 - + Restart the service: # systemctl restart rsyslog - + @@ -24671,9 +24671,9 @@ Edit either /etc/rsyslog.conf Ensure rsyslog logging is configured -The /etc/rsyslog.conf - and /etc/rsyslog.d/*.conf - files specifies rules for logging and which files are to be used to log certain classes of messages. + The /etc/rsyslog.conf + and /etc/rsyslog.d/*.conf + files specifies rules for logging and which files are to be used to log certain classes of messages. @@ -24700,13 +24700,13 @@ The /etc/rsyslog.conf -A great deal of important security-related information is sent via rsyslog - (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.). + A great deal of important security-related information is sent via rsyslog + (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.). Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if journald + is used. @@ -24717,33 +24717,33 @@ A great deal of important security-related information is sent via -Edit the following lines in the /etc/rsyslog.conf - and /etc/rsyslog.d/*.conf - files as appropriate for your environment. + Edit the following lines in the /etc/rsyslog.conf + and /etc/rsyslog.d/*.conf + files as appropriate for your environment. Note: - The below configuration is shown for example purposes only. Due care should be given to how the organization wishes to store log data. + The below configuration is shown for example purposes only. Due care should be given to how the organization wishes to store log data. -*.emerg :omusrmsg:*
-auth,authpriv.* /var/log/secure
-mail.* -/var/log/mail
-mail.info -/var/log/mail.info
-mail.warning -/var/log/mail.warn
-mail.err /var/log/mail.err
-cron.* /var/log/cron
-*.=warning;*.=err -/var/log/warn
-*.crit /var/log/warn
-*.*;mail.none;news.none -/var/log/messages
-local0,local1.* -/var/log/localmessages
-local2,local3.* -/var/log/localmessages
-local4,local5.* -/var/log/localmessages
-local6,local7.* -/var/log/localmessages - - -Run the following command to reload the rsyslogd - configuration: + *.emerg :omusrmsg:*
+ auth,authpriv.* /var/log/secure
+ mail.* -/var/log/mail
+ mail.info -/var/log/mail.info
+ mail.warning -/var/log/mail.warn
+ mail.err /var/log/mail.err
+ cron.* /var/log/cron
+ *.=warning;*.=err -/var/log/warn
+ *.crit /var/log/warn
+ *.*;mail.none;news.none -/var/log/messages
+ local0,local1.* -/var/log/localmessages
+ local2,local3.* -/var/log/localmessages
+ local4,local5.* -/var/log/localmessages
+ local6,local7.* -/var/log/localmessages + + + Run the following command to reload the rsyslogd + configuration: # systemctl restart rsyslog - + @@ -24753,7 +24753,7 @@ Run the following command to reload the rsyslog - supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. + supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. @@ -24779,17 +24779,17 @@ Run the following command to reload the -In addition, see the rsyslog documentation - for implementation details of TLS. + In addition, see the rsyslog documentation + for implementation details of TLS. Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if systemd-journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if systemd-journald + is used. @@ -24801,24 +24801,24 @@ In addition, see the /etc/rsyslog.conf - and /etc/rsyslog.d/*.conf - files and add the following line (where loghost.example.com - is the name of your central log host). The target - directive may either be a fully qualified domain name or an IP address. + Edit the /etc/rsyslog.conf + and /etc/rsyslog.d/*.conf + files and add the following line (where loghost.example.com + is the name of your central log host). The target + directive may either be a fully qualified domain name or an IP address. Example: -*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"
- action.resumeRetryCount="100"
- queue.type="LinkedList" queue.size="1000") - + *.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"
+ action.resumeRetryCount="100"
+ queue.type="LinkedList" queue.size="1000") + -Run the following command to reload rsyslog.service -: + Run the following command to reload rsyslog.service + : # systemctl reload-or-restart rsyslog.service - + @@ -24828,7 +24828,7 @@ Run the following command to reload rsyslog - supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. + supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. @@ -24852,9 +24852,9 @@ Run the following command to reload rsyslog - is the chosen method for client side logging. Do not apply this recommendation if systemd-journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if systemd-journald + is used. @@ -24864,26 +24864,26 @@ Run the following command to reload /etc/rsyslog.conf - or /etc/rsyslog.d/*.conf -. + Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Verify none of the following entries are present in any of /etc/rsyslog.conf + or /etc/rsyslog.d/*.conf + . advanced format -module(load="imtcp")
-input(type="imtcp" port="514") - + module(load="imtcp")
+ input(type="imtcp" port="514") + deprecated legacy format -$ModLoad imtcp
-$InputTCPServerRun - + $ModLoad imtcp
+ $InputTCPServerRun + Restart the service: # systemctl restart rsyslog - + @@ -24935,9 +24935,9 @@ $InputTCPServerRun Ensure rsyslog logrotate is configured -The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/logrotate.d/rsyslog - is the configuration file used to rotate log files created by rsyslog -. + The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/logrotate.d/rsyslog + is the configuration file used to rotate log files created by rsyslog + . @@ -24958,19 +24958,19 @@ The system includes the capability of rotating log files regularly to avoid fill -If no maxage - setting is set for logrotate - a situation can occur where logrotate - is interrupted and fails to delete rotated log files. It is recommended to set this to a value greater than the longest any log file should exist on your system to ensure that any such log file is removed but standard rotation settings are not overridden. + If no maxage + setting is set for logrotate + a situation can occur where logrotate + is interrupted and fails to delete rotated log files. It is recommended to set this to a value greater than the longest any log file should exist on your system to ensure that any such log file is removed but standard rotation settings are not overridden. By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files. Note: - This recommendation only applies if rsyslog - is the chosen method for client side logging. Do not apply this recommendation if systemd-journald - is used. + This recommendation only applies if rsyslog + is the chosen method for client side logging. Do not apply this recommendation if systemd-journald + is used. @@ -24980,24 +24980,24 @@ If no maxage -Edit /etc/logrotate.conf - and /etc/logrotate.d/* - to ensure logs are rotated according to site policy. + Edit /etc/logrotate.conf + and /etc/logrotate.d/* + to ensure logs are rotated according to site policy. Example logrotate configuration that specifies log files be rotated weekly, keep 4 backlogs, compress old log files, ignores missing and empty log files, postrotate to reload rsyslog service after logs are rotated -/var/log/rsyslog/*.log {
- weekly
- rotate 4
- compress
- missingok
- notifempty
- postrotate
- /usr/bin/systemctl reload rsyslog.service >/dev/null || true
- endscript
-} - + /var/log/rsyslog/*.log {
+ weekly
+ rotate 4
+ compress
+ missingok
+ notifempty
+ postrotate
+ /usr/bin/systemctl reload rsyslog.service >/dev/null || true
+ endscript
+ } + @@ -25011,8 +25011,8 @@ Edit /etc/logrotate.conf Log files contain information from many services on the the local system, or in the event of a centralized log server, others systems logs as well. -In general log files are found in /var/log/ -, although application can be configured to store logs elsewhere. Should your application store logs in another, ensure to run the same test on that location. + In general log files are found in /var/log/ + , although application can be configured to store logs elsewhere. Should your application store logs in another, ensure to run the same test on that location. @@ -25042,117 +25042,117 @@ In general log files are found in -Run the following script to update permissions and ownership on files in /var/log -. + Run the following script to update permissions and ownership on files in /var/log + . Although the script is not destructive, ensure that the output is captured in the event that the remediation causes issues. -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_op2="" l_output2=""
- l_uidmin="$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"
- file_test_fix()
- {
- l_op2=""
- l_fuser="root"
- l_fgroup="root"
- if [ $(( $l_mode & $perm_mask )) -gt 0 ]; then
- l_op2="$l_op2\n - Mode: \"$l_mode\" should be \"$maxperm\" or more restrictive\n - Removing excess permissions"
- chmod "$l_rperms" "$l_fname"
- fi
- if [[ ! "$l_user" =~ $l_auser ]]; then
- l_op2="$l_op2\n - Owned by: \"$l_user\" and should be owned by \"${l_auser//|/ or }\"\n - Changing ownership to: \"$l_fuser\""
- chown "$l_fuser" "$l_fname"
- fi
- if [[ ! "$l_group" =~ $l_agroup ]]; then
- l_op2="$l_op2\n - Group owned by: \"$l_group\" and should be group owned by \"${l_agroup//|/ or }\"\n - Changing group ownership to: \"$l_fgroup\""
- chgrp "$l_fgroup" "$l_fname"
- fi
- [ -n "$l_op2" ] && l_output2="$l_output2\n - File: \"$l_fname\" is:$l_op2\n"
- }
- unset a_file && a_file=() # clear and initialize array
- # Loop to create array with stat of files that could possibly fail one of the audits
- while IFS= read -r -d $'\0' l_file; do
- [ -e "$l_file" ] && a_file+=("$(stat -Lc '%n^%#a^%U^%u^%G^%g' "$l_file")")
- done < <(find -L /var/log -type f \( -perm /0137 -o ! -user root -o ! -group root \) -print0)
- while IFS="^" read -r l_fname l_mode l_user l_uid l_group l_gid; do
- l_bname="$(basename "$l_fname")"
- case "$l_bname" in
- lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp-* | README)
- perm_mask='0113'
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_rperms="ug-x,o-wx"
- l_auser="root"
- l_agroup="(root|utmp)"
- file_test_fix
- ;;
- secure | auth.log | syslog | messages)
- perm_mask='0137'
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_rperms="u-x,g-wx,o-rwx"
- l_auser="(root|syslog)"
- l_agroup="(root|adm)"
- file_test_fix
- ;;
- SSSD | sssd)
- perm_mask='0117'
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_rperms="ug-x,o-rwx"
- l_auser="(root|SSSD)"
- l_agroup="(root|SSSD)"
- file_test_fix
- ;;
- gdm | gdm3)
- perm_mask='0117'
- l_rperms="ug-x,o-rwx"
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_auser="root"
- l_agroup="(root|gdm|gdm3)"
- file_test_fix
- ;;
- *.journal | *.journal~)
- perm_mask='0137'
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_rperms="u-x,g-wx,o-rwx"
- l_auser="root"
- l_agroup="(root|systemd-journal)"
- file_test_fix
- ;;
- *)
- perm_mask='0137'
- maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
- l_rperms="u-x,g-wx,o-rwx"
- l_auser="(root|syslog)"
- l_agroup="(root|adm)"
- if [ "$l_uid" -lt "$l_uidmin" ] && [ -z "$(awk -v grp="$l_group" -F: '$1==grp {print $4}' /etc/group)" ]; then
- if [[ ! "$l_user" =~ $l_auser ]]; then
- l_auser="(root|syslog|$l_user)"
- fi
- if [[ ! "$l_group" =~ $l_agroup ]]; then
- l_tst=""
- while l_out3="" read -r l_duid; do
- [ "$l_duid" -ge "$l_uidmin" ] && l_tst=failed
- done <<< "$(awk -F: '$4=='"$l_gid"' {print $3}' /etc/passwd)"
- [ "$l_tst" != "failed" ] && l_agroup="(root|adm|$l_group)"
- fi
- fi
- file_test_fix
- ;;
- esac
- done <<< "$(printf '%s\n' "${a_file[@]}")"
- unset a_file # Clear array
- # If all files passed, then we report no changes
- if [ -z "$l_output2" ]; then
- echo -e "- All files in \"/var/log/\" have appropriate permissions and ownership\n - No changes required\n"
- else
- # print report of changes
- echo -e "\n$l_output2"
- fi
-} - + {
+ l_op2="" l_output2=""
+ l_uidmin="$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"
+ file_test_fix()
+ {
+ l_op2=""
+ l_fuser="root"
+ l_fgroup="root"
+ if [ $(( $l_mode & $perm_mask )) -gt 0 ]; then
+ l_op2="$l_op2\n - Mode: \"$l_mode\" should be \"$maxperm\" or more restrictive\n - Removing excess permissions"
+ chmod "$l_rperms" "$l_fname"
+ fi
+ if [[ ! "$l_user" =~ $l_auser ]]; then
+ l_op2="$l_op2\n - Owned by: \"$l_user\" and should be owned by \"${l_auser//|/ or }\"\n - Changing ownership to: \"$l_fuser\""
+ chown "$l_fuser" "$l_fname"
+ fi
+ if [[ ! "$l_group" =~ $l_agroup ]]; then
+ l_op2="$l_op2\n - Group owned by: \"$l_group\" and should be group owned by \"${l_agroup//|/ or }\"\n - Changing group ownership to: \"$l_fgroup\""
+ chgrp "$l_fgroup" "$l_fname"
+ fi
+ [ -n "$l_op2" ] && l_output2="$l_output2\n - File: \"$l_fname\" is:$l_op2\n"
+ }
+ unset a_file && a_file=() # clear and initialize array
+ # Loop to create array with stat of files that could possibly fail one of the audits
+ while IFS= read -r -d $'\0' l_file; do
+ [ -e "$l_file" ] && a_file+=("$(stat -Lc '%n^%#a^%U^%u^%G^%g' "$l_file")")
+ done < <(find -L /var/log -type f \( -perm /0137 -o ! -user root -o ! -group root \) -print0)
+ while IFS="^" read -r l_fname l_mode l_user l_uid l_group l_gid; do
+ l_bname="$(basename "$l_fname")"
+ case "$l_bname" in
+ lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp-* | README)
+ perm_mask='0113'
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_rperms="ug-x,o-wx"
+ l_auser="root"
+ l_agroup="(root|utmp)"
+ file_test_fix
+ ;;
+ secure | auth.log | syslog | messages)
+ perm_mask='0137'
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_rperms="u-x,g-wx,o-rwx"
+ l_auser="(root|syslog)"
+ l_agroup="(root|adm)"
+ file_test_fix
+ ;;
+ SSSD | sssd)
+ perm_mask='0117'
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_rperms="ug-x,o-rwx"
+ l_auser="(root|SSSD)"
+ l_agroup="(root|SSSD)"
+ file_test_fix
+ ;;
+ gdm | gdm3)
+ perm_mask='0117'
+ l_rperms="ug-x,o-rwx"
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_auser="root"
+ l_agroup="(root|gdm|gdm3)"
+ file_test_fix
+ ;;
+ *.journal | *.journal~)
+ perm_mask='0137'
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_rperms="u-x,g-wx,o-rwx"
+ l_auser="root"
+ l_agroup="(root|systemd-journal)"
+ file_test_fix
+ ;;
+ *)
+ perm_mask='0137'
+ maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+ l_rperms="u-x,g-wx,o-rwx"
+ l_auser="(root|syslog)"
+ l_agroup="(root|adm)"
+ if [ "$l_uid" -lt "$l_uidmin" ] && [ -z "$(awk -v grp="$l_group" -F: '$1==grp {print $4}' /etc/group)" ]; then
+ if [[ ! "$l_user" =~ $l_auser ]]; then
+ l_auser="(root|syslog|$l_user)"
+ fi
+ if [[ ! "$l_group" =~ $l_agroup ]]; then
+ l_tst=""
+ while l_out3="" read -r l_duid; do
+ [ "$l_duid" -ge "$l_uidmin" ] && l_tst=failed
+ done <<< "$(awk -F: '$4=='"$l_gid"' {print $3}' /etc/passwd)"
+ [ "$l_tst" != "failed" ] && l_agroup="(root|adm|$l_group)"
+ fi
+ fi
+ file_test_fix
+ ;;
+ esac
+ done <<< "$(printf '%s\n' "${a_file[@]}")"
+ unset a_file # Clear array
+ # If all files passed, then we report no changes
+ if [ -z "$l_output2" ]; then
+ echo -e "- All files in \"/var/log/\" have appropriate permissions and ownership\n - No changes required\n"
+ else
+ # print report of changes
+ echo -e "\n$l_output2"
+ fi
+ } + Note: - You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions. + You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions. If there are services that log to other locations, ensure that those log files have the appropriate access configured. @@ -25170,9 +25170,9 @@ Run the following script to update permissions and ownership on files in System Auditing -The Linux Auditing System operates on a set of rules that collects certain types of system activity to facilitate incident investigation, detect unauthorized access or modification of data. By default events will be logged to /var/log/audit/audit.log -, which can be configured in /etc/audit/auditd.conf -. + The Linux Auditing System operates on a set of rules that collects certain types of system activity to facilitate incident investigation, detect unauthorized access or modification of data. By default events will be logged to /var/log/audit/audit.log + , which can be configured in /etc/audit/auditd.conf + . The following types of audit rules can be specified: Control rules: Configuration of the auditing system. @@ -25182,59 +25182,59 @@ The Linux Auditing System operates on a set of rules that collects certain types Audit rules can be set: -On the command line using the auditctl - utility. These rules are not persistent across reboots. + On the command line using the auditctl + utility. These rules are not persistent across reboots. -In /etc/audit/audit.rules -. These rules have to be merged and loaded before they are active. + In /etc/audit/audit.rules + . These rules have to be merged and loaded before they are active. Notes: -For 64 bit systems that have arch - as a rule parameter, you will need two rules: one for 64 bit and one for 32 bit systems calls. For 32 bit systems, only one rule is needed. + For 64 bit systems that have arch + as a rule parameter, you will need two rules: one for 64 bit and one for 32 bit systems calls. For 32 bit systems, only one rule is needed. -If the auditing system is configured to be locked ( -e 2 -), a system reboot will be required in order to load any changes. + If the auditing system is configured to be locked ( -e 2 + ), a system reboot will be required in order to load any changes. Key names are optional on the rules and will not be used in compliance auditing. The usage of key names is highly recommended as it facilitates organization and searching; as such, all remediation steps will have key names supplied. -It is best practice to store the rules, in number prepended files, in /etc/audit/rules.d/ -. Rules must end in a .rules - suffix. This then requires the use of augenrules - to merge all the rules into /etc/audit/audit.rules - based on their alphabetical (lexical) sort order. All benchmark recommendations follow this best practice for remediation, specifically using the prefix of 50 - which is center weighed if all rule sets make use of the number prepending naming convention. + It is best practice to store the rules, in number prepended files, in /etc/audit/rules.d/ + . Rules must end in a .rules + suffix. This then requires the use of augenrules + to merge all the rules into /etc/audit/audit.rules + based on their alphabetical (lexical) sort order. All benchmark recommendations follow this best practice for remediation, specifically using the prefix of 50 + which is center weighed if all rule sets make use of the number prepending naming convention. -Your system may have been customized to change the default UID_MIN -. All sample output uses 1000 -, but this value will not be used in compliance auditing. To confirm the UID_MIN - for your system, run the following command: awk '/^\s*UID_MIN/{print $2}' /etc/login.defs + Your system may have been customized to change the default UID_MIN + . All sample output uses 1000 + , but this value will not be used in compliance auditing. To confirm the UID_MIN + for your system, run the following command: awk '/^\s*UID_MIN/{print $2}' /etc/login.defs Normalization - -The Audit system normalizes some entries, so when you look at the sample output keep in mind that: + + The Audit system normalizes some entries, so when you look at the sample output keep in mind that: -With regards to users whose login UID is not set, the values -1 - / unset - / 4294967295 - are equivalent and normalized to -1 -. + With regards to users whose login UID is not set, the values -1 + / unset + / 4294967295 + are equivalent and normalized to -1 + . -When comparing field types and both sides of the comparison is valid fields types, such as euid!=uid -, then the auditing system may normalize such that the output is uid!=euid -. + When comparing field types and both sides of the comparison is valid fields types, such as euid!=uid + , then the auditing system may normalize such that the output is uid!=euid + . Some parts of the rule may be rearranged whilst others are dependent on previous syntax. For example, the following two statements are the same: -a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation - + and -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation - + Capacity planning @@ -25255,7 +25255,7 @@ When comparing field types and both sides of the comparison is valid fields type auditd - is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. + is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. @@ -25297,11 +25297,11 @@ When comparing field types and both sides of the comparison is valid fields type -Run the following command to install audit - and audit-libs -: + Run the following command to install audit + and audit-libs + : # dnf install audit audit-libs - + @@ -25318,9 +25318,9 @@ Run the following command to install Ensure auditing for processes that start prior to auditd is enabled -Configure grub2 - so that processes that are capable of being audited can be audited even if they start up prior to auditd - startup. + Configure grub2 + so that processes that are capable of being audited can be audited even if they start up prior to auditd + startup. @@ -25343,7 +25343,7 @@ Configure grub2 This recommendation is designed around the grub 2 bootloader, if another bootloader is in use in your environment enact equivalent settings. grubby - is a command line tool used to configure bootloader menu entries across multiple architectures. It is used for updating and displaying information about the configuration files for various architecture specific bootloaders. + is a command line tool used to configure bootloader menu entries across multiple architectures. It is used for updating and displaying information about the configuration files for various architecture specific bootloaders. It is primarily designed to be used from scripts which install new kernels and need to find information about the current boot environment. The grubby executable has full support for the grub2 bootloader on x86_64 systems using legacy BIOS or modern UEFI firmware and ppc64 and ppc64le hardware using OPAL or SLOF as firmware. Legacy s390 and the current s390x architectures and their zipl bootloader are fully supported. @@ -25354,8 +25354,8 @@ Configure grub2 -Audit events need to be captured on processes that start up prior to auditd - , so that potential malicious activity cannot go undetected. + Audit events need to be captured on processes that start up prior to auditd + , so that potential malicious activity cannot go undetected. @@ -25363,24 +25363,24 @@ Audit events need to be captured on processes that start up prior to -Run the following command to update the grub2 - configuration with audit=1 -: + Run the following command to update the grub2 + configuration with audit=1 + : # grubby --update-kernel ALL --args 'audit=1' - + -Edit /etc/default/grub - and add audit=1 - to the GRUB_CMDLINE_LINUX= - line between the opening and closing double quotes: + Edit /etc/default/grub + and add audit=1 + to the GRUB_CMDLINE_LINUX= + line between the opening and closing double quotes: Example: GRUB_CMDLINE_LINUX="quiet audit=1" - + Note: - Other parameters may also be listed + Other parameters may also be listed @@ -25399,8 +25399,8 @@ Edit /etc/default/grubEnsure audit_backlog_limit is sufficient -The audit_backlog_limit - parameter determines how auditd records can be held in the auditd backlog. The default setting of 64 may be insufficient to store all audit events during boot. + The audit_backlog_limit + parameter determines how auditd records can be held in the auditd backlog. The default setting of 64 may be insufficient to store all audit events during boot. @@ -25423,7 +25423,7 @@ The audit_backlog_limitThis recommendation is designed around the grub 2 bootloader, if another bootloader is in use in your environment enact equivalent settings. grubby - is a command line tool used to configure bootloader menu entries across multiple architectures. It is used for updating and displaying information about the configuration files for various architecture specific bootloaders. + is a command line tool used to configure bootloader menu entries across multiple architectures. It is used for updating and displaying information about the configuration files for various architecture specific bootloaders. It is primarily designed to be used from scripts which install new kernels and need to find information about the current boot environment. The grubby executable has full support for the grub2 bootloader on x86_64 systems using legacy BIOS or modern UEFI firmware and ppc64 and ppc64le hardware using OPAL or SLOF as firmware. Legacy s390 and the current s390x architectures and their zipl bootloader are fully supported. @@ -25434,8 +25434,8 @@ The audit_backlog_limit -During boot if audit=1 -, then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. + During boot if audit=1 + , then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. @@ -25444,28 +25444,28 @@ During boot if audit=1 -Run the following command to add audit_backlog_limit=<BACKLOG SIZE> - to GRUB_CMDLINE_LINUX: + Run the following command to add audit_backlog_limit=<BACKLOG SIZE> + to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' - + Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192' - + -Edit /etc/default/grub - and add audit_backlog_limit=<BACKLOG SIZE> - to the GRUB_CMDLINE_LINUX= - line between the opening and closing double quotes: + Edit /etc/default/grub + and add audit_backlog_limit=<BACKLOG SIZE> + to the GRUB_CMDLINE_LINUX= + line between the opening and closing double quotes: Example: GRUB_CMDLINE_LINUX="quiet audit_backlog_limit=8192" - + Note: - Other parameters may also be listed + Other parameters may also be listed @@ -25484,8 +25484,8 @@ Edit /etc/default/grubEnsure auditd service is enabled and active -Turn on the auditd - daemon to record system events. + Turn on the auditd + daemon to record system events. @@ -25524,13 +25524,13 @@ Turn on the auditd -Run the following commands to unmask, enable and start auditd -: + Run the following commands to unmask, enable and start auditd + : -# systemctl unmask auditd
-# systemctl enable auditd
-# systemctl start auditd - + # systemctl unmask auditd
+ # systemctl enable auditd
+ # systemctl start auditd + @@ -25575,11 +25575,11 @@ Run the following commands to unmask, enable and start -The max_log_file - parameter is measured in megabytes. + The max_log_file + parameter is measured in megabytes. -Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd - configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. + Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd + configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness. @@ -25592,10 +25592,10 @@ Other methods of log rotation may be appropriate based on site policy. One exam -Set the following parameter in /etc/audit/auditd.conf - in accordance with site policy: + Set the following parameter in /etc/audit/auditd.conf + in accordance with site policy: max_log_file = <MB> - + @@ -25609,9 +25609,9 @@ Set the following parameter in Ensure audit logs are not automatically deleted -The max_log_file_action - setting determines how to handle the audit log file reaching the max file size. A value of keep_logs - will rotate the logs but never delete old logs. + The max_log_file_action + setting determines how to handle the audit log file reaching the max file size. A value of keep_logs + will rotate the logs but never delete old logs. @@ -25641,10 +25641,10 @@ The max_log_file_action -Set the following parameter in /etc/audit/auditd.conf: + Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs - + @@ -25658,69 +25658,69 @@ Set the following parameter in Ensure system is disabled when audit logs are full -The auditd - daemon can be configured to halt the system or put the system in single user mode, if no free space is available or an error is detected on the partition that holds the audit log files. - -The disk_full_action - parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. Valid values are ignore -, syslog -, rotate -, exec -, suspend -, single -, and halt -. + The auditd + daemon can be configured to halt the system or put the system in single user mode, if no free space is available or an error is detected on the partition that holds the audit log files. + + The disk_full_action + parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. Valid values are ignore + , syslog + , rotate + , exec + , suspend + , single + , and halt + . ignore -, the audit daemon will issue a syslog message but no other action is taken + , the audit daemon will issue a syslog message but no other action is taken syslog -, the audit daemon will issue a warning to syslog + , the audit daemon will issue a warning to syslog rotate -, the audit daemon will rotate logs, losing the oldest to free up space + , the audit daemon will rotate logs, losing the oldest to free up space exec -, /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action + , /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action suspend -, the audit daemon will stop writing records to the disk + , the audit daemon will stop writing records to the disk single -, the audit daemon will put the computer system in single user mode + , the audit daemon will put the computer system in single user mode halt -, the audit daemon will shut down the system + , the audit daemon will shut down the system -The disk_error_action - parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. Valid values are ignore -, syslog -, exec -, suspend -, single -, and halt -. + The disk_error_action + parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. Valid values are ignore + , syslog + , exec + , suspend + , single + , and halt + . ignore -, the audit daemon will not take any action + , the audit daemon will not take any action syslog -, the audit daemon will issue no more than 5 consecutive warnings to syslog + , the audit daemon will issue no more than 5 consecutive warnings to syslog exec -, /path-to-script will execute the script. You cannot pass parameters to the script + , /path-to-script will execute the script. You cannot pass parameters to the script suspend -, the audit daemon will stop writing records to the disk + , the audit daemon will stop writing records to the disk single -, the audit daemon will put the computer system in single user mode + , the audit daemon will put the computer system in single user mode halt -, the audit daemon will shut down the system + , the audit daemon will shut down the system @@ -25751,50 +25751,50 @@ The disk_error_action -Set one of the following parameters in /etc/audit/auditd.conf - depending on your local security policies. + Set one of the following parameters in /etc/audit/auditd.conf + depending on your local security policies. -disk_full_action = <halt|single>
-disk_error_action = <syslog|single|halt> - + disk_full_action = <halt|single>
+ disk_error_action = <syslog|single|halt> + Example: -disk_full_action = halt
-disk_error_action = halt - + disk_full_action = halt
+ disk_error_action = halt + Impact: disk_full_action - parameter: + parameter: -Set to halt - - the auditd - daemon will shutdown the system when the disk partition containing the audit logs becomes full. + Set to halt + - the auditd + daemon will shutdown the system when the disk partition containing the audit logs becomes full. -Set to single - - the auditd - daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full. + Set to single + - the auditd + daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full. disk_error_action - parameter: + parameter: -Set to halt - - the auditd - daemon will shutdown the system when an error is detected on the partition that holds the audit log files. + Set to halt + - the auditd + daemon will shutdown the system when an error is detected on the partition that holds the audit log files. -Set to single - - the auditd - daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files. + Set to single + - the auditd + daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files. -Set to syslog - - the auditd - daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files. + Set to syslog + - the auditd + daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files. @@ -25813,83 +25813,83 @@ Set to syslogEnsure system warns when audit logs are low on space -The auditd - daemon can be configured to halt the system, put the system in single user mode or send a warning message, if the partition that holds the audit log files is low on space. - -The space_left_action - parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore -, syslog -, rotate -, email -, exec -, suspend -, single -, and halt -. + The auditd + daemon can be configured to halt the system, put the system in single user mode or send a warning message, if the partition that holds the audit log files is low on space. + + The space_left_action + parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore + , syslog + , rotate + , email + , exec + , suspend + , single + , and halt + . ignore -, the audit daemon does nothing + , the audit daemon does nothing syslog -, the audit daemon will issue a warning to syslog + , the audit daemon will issue a warning to syslog rotate -, the audit daemon will rotate logs, losing the oldest to free up space + , the audit daemon will rotate logs, losing the oldest to free up space email -, the audit daemon will send a warning to the email account specified in action_mail_acct - as well as sending the message to syslog + , the audit daemon will send a warning to the email account specified in action_mail_acct + as well as sending the message to syslog exec -, /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action + , /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action suspend -, the audit daemon will stop writing records to the disk + , the audit daemon will stop writing records to the disk single -, the audit daemon will put the computer system in single user mode + , the audit daemon will put the computer system in single user mode halt -, the audit daemon will shut down the system + , the audit daemon will shut down the system -The admin_space_left_action - parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore -, syslog -, rotate -, email -, exec -, suspend -, single -, and halt -. + The admin_space_left_action + parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore + , syslog + , rotate + , email + , exec + , suspend + , single + , and halt + . ignore -, the audit daemon does nothing + , the audit daemon does nothing syslog -, the audit daemon will issue a warning to syslog + , the audit daemon will issue a warning to syslog rotate -, the audit daemon will rotate logs, losing the oldest to free up space + , the audit daemon will rotate logs, losing the oldest to free up space email -, the audit daemon will send a warning to the email account specified in action_mail_acct - as well as sending the message to syslog + , the audit daemon will send a warning to the email account specified in action_mail_acct + as well as sending the message to syslog exec -, /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action + , /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action suspend -, the audit daemon will stop writing records to the disk + , the audit daemon will stop writing records to the disk single -, the audit daemon will put the computer system in single user mode + , the audit daemon will put the computer system in single user mode halt -, the audit daemon will shut down the system + , the audit daemon will shut down the system @@ -25920,39 +25920,39 @@ The admin_space_left_action -Set the space_left_action - parameter in /etc/audit/auditd.conf - to email -, exec -, single -, or halt -: + Set the space_left_action + parameter in /etc/audit/auditd.conf + to email + , exec + , single + , or halt + : Example: space_left_action = email - + -Set the admin_space_left_action - parameter in /etc/audit/auditd.conf - to single - or halt -: + Set the admin_space_left_action + parameter in /etc/audit/auditd.conf + to single + or halt + : Example: admin_space_left_action = single - + Note: - A Mail Transfer Agent (MTA) must be installed and configured properly to set space_left_action = email + A Mail Transfer Agent (MTA) must be installed and configured properly to set space_left_action = email Impact: -If the admin_space_left_action - is set to single - the audit daemon will put the computer system in single user mode. + If the admin_space_left_action + is set to single + the audit daemon will put the computer system in single user mode. @@ -25981,19 +25981,19 @@ If the admin_space_left_act on the command line using the auditctl utility. Note that these rules are not persistent across reboots. -in a file ending in .rules - in the /etc/audit/rules.d/ - directory. + in a file ending in .rules + in the /etc/audit/rules.d/ + directory. Ensure changes to system administration scope (sudoers) is collected -Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo - command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers -, or files in /etc/sudoers.d -, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope". + Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo + command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers + , or files in /etc/sudoers.d + , will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope". @@ -26017,22 +26017,22 @@ Monitor scope changes for system administrators. If the system has been properly Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -Changes in the /etc/sudoers - and /etc/sudoers.d - files can indicate that an unauthorized change has been made to the scope of system administrator activity. + Changes in the /etc/sudoers + and /etc/sudoers.d + files can indicate that an unauthorized change has been made to the scope of system administrator activity. @@ -26041,20 +26041,20 @@ Changes in the /etc/sudoers -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor scope changes for system administrators. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf '%s\n' "-w /etc/sudoers -p wa -k scope" "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/50-scope.rules - + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26076,7 +26076,7 @@ Edit or create a file in the sudo - provides users with temporary elevated privileges to perform operations, either as the superuser or another user. + provides users with temporary elevated privileges to perform operations, either as the superuser or another user. @@ -26100,21 +26100,21 @@ Edit or create a file in the Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo -'s logfile to verify if unauthorized commands have been executed. + Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo + 's logfile to verify if unauthorized commands have been executed. @@ -26126,27 +26126,27 @@ Creating an audit log of users with temporary elevated privileges and the operat Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor elevated privileges. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor elevated privileges. Example: -# printf "
--a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
--a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-" >> /etc/audit/rules.d/50-user_emulation.rules - + # printf "
+ -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+ -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+ " >> /etc/audit/rules.d/50-user_emulation.rules + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26167,12 +26167,12 @@ Edit or create a file in the Ensure events that modify the sudo log file are collected -Monitor the sudo - log file. If the system has been properly configured to disable the use of the su - command and force all administrators to have to log in first and then use sudo - to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log - . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log - file will be opened for write and the executed administration command will be written to the log. + Monitor the sudo + log file. If the system has been properly configured to disable the use of the su + command and force all administrators to have to log in first and then use sudo + to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log + . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log + file will be opened for write and the executed administration command will be written to the log. @@ -26196,22 +26196,22 @@ Monitor the sudo Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -Changes in /var/log/sudo.log - indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log - to verify if unauthorized commands have been executed. + Changes in /var/log/sudo.log + indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log + to verify if unauthorized commands have been executed. @@ -26220,28 +26220,28 @@ Changes in /var/log/sudo.log Note: - This recommendation requires that the sudo logfile is configured. See guidance provided in the recommendation "Ensure sudo log file exists" + This recommendation requires that the sudo logfile is configured. See guidance provided in the recommendation "Ensure sudo log file exists" -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor events that modify the sudo log file. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor events that modify the sudo log file. Example: -# {
-SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g')
-[ -n "${SUDO_LOG_FILE}" ] && printf "
--w ${SUDO_LOG_FILE} -p wa -k sudo_log_file
-" >> /etc/audit/rules.d/50-sudo.rules || printf "ERROR: Variable 'SUDO_LOG_FILE' is unset.\n"
-} - + # {
+ SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g')
+ [ -n "${SUDO_LOG_FILE}" ] && printf "
+ -w ${SUDO_LOG_FILE} -p wa -k sudo_log_file
+ " >> /etc/audit/rules.d/50-sudo.rules || printf "ERROR: Variable 'SUDO_LOG_FILE' is unset.\n"
+ } + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26260,18 +26260,18 @@ SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*// adjtimex - - tune kernel clock + - tune kernel clock settimeofday - - set time using timeval - and timezone - structures + - set time using timeval + and timezone + structures stime - - using seconds since 1/1/1970 + - using seconds since 1/1/1970 clock_settime - - allows for the setting of several internal clocks and timers + - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change". @@ -26297,15 +26297,15 @@ SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*// Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -26321,28 +26321,28 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor events that modify date and time information. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor events that modify date and time information. Example: -# printf "
--a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change
--a always,exit -F arch=b32 -S adjtimex,settimeofday -k time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
--w /etc/localtime -p wa -k time-change
-" >> /etc/audit/rules.d/50-time-change.rules - + # printf "
+ -a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change
+ -a always,exit -F arch=b32 -S adjtimex,settimeofday -k time-change
+ -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
+ -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
+ -w /etc/localtime -p wa -k time-change
+ " >> /etc/audit/rules.d/50-time-change.rules + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26373,32 +26373,32 @@ Edit or create a file in the sethostname - - set the systems host name + - set the systems host name setdomainname - - set the systems domain name + - set the systems domain name The files being monitored are: /etc/issue - and /etc/issue.net - - messages displayed pre-login + and /etc/issue.net + - messages displayed pre-login /etc/hosts - - file containing host names and associated IP addresses + - file containing host names and associated IP addresses /etc/hostname - - file contains the system's host name + - file contains the system's host name /etc/sysconfig/network - - additional information that is valid to all network interfaces + - additional information that is valid to all network interfaces /etc/sysconfig/network-scripts/ - - directory containing network interface scripts and configurations files + - directory containing network interface scripts and configurations files /etc/NetworkManager/ - - directory contains configuration files and settings used by the NetworkManager + - directory contains configuration files and settings used by the NetworkManager @@ -26424,26 +26424,26 @@ Edit or create a file in the Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -Monitoring sethostname - and setdomainname - will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts - file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue - and /etc/issue.net - is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network - is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them. + Monitoring sethostname + and setdomainname + will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts + file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue + and /etc/issue.net + is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network + is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them. @@ -26455,32 +26455,32 @@ Monitoring sethostnameCreate audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor events that modify the system's network environment. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor events that modify the system's network environment. Example: -# printf "
--a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/hostname -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
--w /etc/sysconfig/network-scripts/ -p wa -k system-locale
--w /etc/NetworkManager -p wa -k system-locale
-" >> /etc/audit/rules.d/50-system_locale.rules - + # printf "
+ -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+ -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
+ -w /etc/issue -p wa -k system-locale
+ -w /etc/issue.net -p wa -k system-locale
+ -w /etc/hosts -p wa -k system-locale
+ -w /etc/hostname -p wa -k system-locale
+ -w /etc/sysconfig/network -p wa -k system-locale
+ -w /etc/sysconfig/network-scripts/ -p wa -k system-locale
+ -w /etc/NetworkManager -p wa -k system-locale
+ " >> /etc/audit/rules.d/50-system_locale.rules + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26550,9 +26550,9 @@ Edit or create a file in the Ensure use of privileged commands are collected -Monitor privileged programs, those that have the setuid - and/or setgid - bit set on execution, to determine if unprivileged users are running these commands. + Monitor privileged programs, those that have the setuid + and/or setgid + bit set on execution, to determine if unprivileged users are running these commands. @@ -26576,15 +26576,15 @@ Monitor privileged programs, those that have the Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -26597,56 +26597,56 @@ For performance ( man 7 audit.ru -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor the use of privileged commands. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor the use of privileged commands. Example script: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- AUDIT_RULE_FILE="/etc/audit/rules.d/50-privileged.rules"
- NEW_DATA=()
- for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
- readarray -t DATA < <(find "${PARTITION}" -xdev -perm /6000 -type f | awk -v UID_MIN=${UID_MIN} '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>="UID_MIN" -F auid!=unset -k privileged" }')
- for ENTRY in "${DATA[@]}"; do
- NEW_DATA+=("${ENTRY}")
- done
- done
- readarray &> /dev/null -t OLD_DATA < "${AUDIT_RULE_FILE}"
- COMBINED_DATA=( "${OLD_DATA[@]}" "${NEW_DATA[@]}" )
- printf '%s\n' "${COMBINED_DATA[@]}" | sort -u > "${AUDIT_RULE_FILE}"
-} - + {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ AUDIT_RULE_FILE="/etc/audit/rules.d/50-privileged.rules"
+ NEW_DATA=()
+ for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
+ readarray -t DATA < <(find "${PARTITION}" -xdev -perm /6000 -type f | awk -v UID_MIN=${UID_MIN} '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>="UID_MIN" -F auid!=unset -k privileged" }')
+ for ENTRY in "${DATA[@]}"; do
+ NEW_DATA+=("${ENTRY}")
+ done
+ done
+ readarray &> /dev/null -t OLD_DATA < "${AUDIT_RULE_FILE}"
+ COMBINED_DATA=( "${OLD_DATA[@]}" "${NEW_DATA[@]}" )
+ printf '%s\n' "${COMBINED_DATA[@]}" | sort -u > "${AUDIT_RULE_FILE}"
+ } + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + Special mount points -If there are any special mount points that are not visible by default from just scanning / -, change the PARTITION - variable to the appropriate partition and re-run the remediation. + If there are any special mount points that are not visible by default from just scanning / + , change the PARTITION + variable to the appropriate partition and re-run the remediation. Impact: -Both the audit and remediation section of this recommendation will traverse all mounted file systems that is not mounted with either noexec - or nosuid - mount options. If there are large file systems without these mount options, such traversal will be significantly detrimental to the performance of the system. + Both the audit and remediation section of this recommendation will traverse all mounted file systems that is not mounted with either noexec + or nosuid + mount options. If there are large file systems without these mount options, such traversal will be significantly detrimental to the performance of the system. Before running either the audit or remediation section, inspect the output of the following command to determine exactly which file systems will be traversed: # findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" - + -To exclude a particular file system due to adverse performance impacts, update the audit and remediation sections by adding a sufficiently unique string to the grep - statement. The above command can be used to test the modified exclusions. + To exclude a particular file system due to adverse performance impacts, update the audit and remediation sections by adding a sufficiently unique string to the grep + statement. The above command can be used to test the modified exclusions. @@ -26664,15 +26664,15 @@ To exclude a particular file system due to adverse performance impacts, update t Monitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files: -creation - creat + creation - creat -opening - open - , openat + opening - open + , openat -truncation - truncate - , ftruncate + truncation - truncate + , ftruncate An audit log record will only be written if all of the following criteria is met for the user when trying to access a file: @@ -26704,15 +26704,15 @@ truncation - truncatePotential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -26728,32 +26728,32 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor unsuccessful file access attempts. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor unsuccessful file access attempts. Example: -# {
-UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
-[ -n "${UID_MIN}" ] && printf "
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access
-" >> /etc/audit/rules.d/50-access.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access
+ -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access
+ -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access
+ -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access
+ " >> /etc/audit/rules.d/50-access.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -26791,28 +26791,28 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
/etc/group - - system groups + - system groups /etc/passwd - - system users + - system users /etc/gshadow - - encrypted password for each group + - encrypted password for each group /etc/shadow - - system user passwords + - system user passwords /etc/security/opasswd - - storage of old passwords if the relevant PAM module is in use + - storage of old passwords if the relevant PAM module is in use /etc/nsswitch.conf - - file configures how the system uses various databases and name resolution mechanisms + - file configures how the system uses various databases and name resolution mechanisms /etc/pam.conf - - file determines the authentication services to be used, and the order in which the services are used. + - file determines the authentication services to be used, and the order in which the services are used. /etc/pam.d - - directory contains the PAM configuration files for each PAM-aware application. + - directory contains the PAM configuration files for each PAM-aware application. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file. @@ -26838,15 +26838,15 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -26861,30 +26861,30 @@ For performance ( man 7 audit.ru -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor events that modify user/group information. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor events that modify user/group information. Example: -# printf "
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
--w /etc/nsswitch.conf -p wa -k identity
--w /etc/pam.conf -p wa -k identity
--w /etc/pam.d -p wa -k identity
-" >> /etc/audit/rules.d/50-identity.rules - + # printf "
+ -w /etc/group -p wa -k identity
+ -w /etc/passwd -p wa -k identity
+ -w /etc/gshadow -p wa -k identity
+ -w /etc/shadow -p wa -k identity
+ -w /etc/security/opasswd -p wa -k identity
+ -w /etc/nsswitch.conf -p wa -k identity
+ -w /etc/pam.conf -p wa -k identity
+ -w /etc/pam.d -p wa -k identity
+ " >> /etc/audit/rules.d/50-identity.rules + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27012,15 +27012,15 @@ Edit or create a file in the Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -27036,34 +27036,34 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor discretionary access control permission modification events. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor discretionary access control permission modification events. Example: -# {
-UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
-[ -n "${UID_MIN}" ] && printf "
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
-" >> /etc/audit/rules.d/50-perm_mod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod
+ " >> /etc/audit/rules.d/50-perm_mod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27084,10 +27084,10 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
Ensure successful file system mounts are collected -Monitor the use of the mount - system call. The mount - (and umount - ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user + Monitor the use of the mount + system call. The mount + (and umount + ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user @@ -27111,25 +27111,25 @@ Monitor the use of the mountPotential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -It is highly unusual for a non privileged user to mount - file systems to the system. While tracking mount - commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open -, creat - and truncate - system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. + It is highly unusual for a non privileged user to mount + file systems to the system. While tracking mount + commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open + , creat + and truncate + system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. @@ -27141,30 +27141,30 @@ It is highly unusual for a non privileged user to Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor successful file system mounts. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor successful file system mounts. Example: -# {
-UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
-[ -n "${UID_MIN}" ] && printf "
--a always,exit -F arch=b32 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts
--a always,exit -F arch=b64 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts
-" >> /etc/audit/rules.d/50-mounts.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F arch=b32 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts
+ -a always,exit -F arch=b64 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts
+ " >> /etc/audit/rules.d/50-mounts.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27188,14 +27188,14 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
/var/run/utmp - - tracks all currently logged in users. + - tracks all currently logged in users. /var/log/wtmp - - file tracks logins, logouts, shutdown, and reboot events. + - file tracks logins, logouts, shutdown, and reboot events. /var/log/btmp - - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp -. + - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp + . All audit records will be tagged with the identifier "session." @@ -27226,15 +27226,15 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -27248,25 +27248,25 @@ For performance ( man 7 audit.ru -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor session initiation information. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor session initiation information. Example: -# printf "
--w /var/run/utmp -p wa -k session
--w /var/log/wtmp -p wa -k session
--w /var/log/btmp -p wa -k session
-" >> /etc/audit/rules.d/50-session.rules - + # printf "
+ -w /var/run/utmp -p wa -k session
+ -w /var/log/wtmp -p wa -k session
+ -w /var/log/btmp -p wa -k session
+ " >> /etc/audit/rules.d/50-session.rules + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27297,11 +27297,11 @@ Edit or create a file in the /var/log/lastlog - - maintain records of the last time a user successfully logged in. + - maintain records of the last time a user successfully logged in. /var/run/faillock - - directory maintains records of login failures via the pam_faillock - module. + - directory maintains records of login failures via the pam_faillock + module. @@ -27336,15 +27336,15 @@ Edit or create a file in the Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -27359,24 +27359,24 @@ For performance ( man 7 audit.ru -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor login and logout events. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor login and logout events. Example: -# printf "
--w /var/log/lastlog -p wa -k logins
--w /var/run/faillock -p wa -k logins
-" >> /etc/audit/rules.d/50-login.rules - + # printf "
+ -w /var/log/lastlog -p wa -k logins
+ -w /var/run/faillock -p wa -k logins
+ " >> /etc/audit/rules.d/50-login.rules + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27400,17 +27400,17 @@ Edit or create a file in the unlink - - remove a file + - remove a file unlinkat - - remove a file attribute + - remove a file attribute rename - - rename a file + - rename a file renameat - rename a file attribute -system calls and tags them with the identifier "delete". + rename a file attribute + system calls and tags them with the identifier "delete". @@ -27435,15 +27435,15 @@ system calls and tags them with the identifier "delete". Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -27459,30 +27459,30 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor file deletion events by users. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor file deletion events by users. Example: -# {
-UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
-[ -n "${UID_MIN}" ] && printf "
--a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
--a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
-" >> /etc/audit/rules.d/50-delete.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
+ -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
+ " >> /etc/audit/rules.d/50-delete.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27503,12 +27503,12 @@ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
Ensure events that modify the system's Mandatory Access Controls are collected -Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ - and /usr/share/selinux/ - directories. + Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ + and /usr/share/selinux/ + directories. Note: - If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited. + If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited. @@ -27532,22 +27532,22 @@ Monitor SELinux, an implementation of mandatory access controls. The parameters Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -Changes to files in the /etc/selinux/ - and /usr/share/selinux/ - directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. + Changes to files in the /etc/selinux/ + and /usr/share/selinux/ + directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. @@ -27556,24 +27556,24 @@ Changes to files in the /etc/seli -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: -# printf "
--w /etc/selinux -p wa -k MAC-policy
--w /usr/share/selinux -p wa -k MAC-policy
-" >> /etc/audit/rules.d/50-MAC-policy.rules - + # printf "
+ -w /etc/selinux -p wa -k MAC-policy
+ -w /usr/share/selinux -p wa -k MAC-policy
+ " >> /etc/audit/rules.d/50-MAC-policy.rules + Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27594,8 +27594,8 @@ Edit or create a file in the Ensure successful and unsuccessful attempts to use the chcon command are collected -The operating system must generate audit records for successful/unsuccessful uses of the chcon - command. + The operating system must generate audit records for successful/unsuccessful uses of the chcon + command. @@ -27619,21 +27619,21 @@ The operating system must generate audit records for successful/unsuccessful use Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -The chcon - command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + The chcon + command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -27646,30 +27646,30 @@ The chcon Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon - command. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon + command. Example: -# {
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- [ -n "${UID_MIN}" ] && printf "
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
-" >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
+ " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27685,8 +27685,8 @@ Edit or create a file in the Ensure successful and unsuccessful attempts to use the setfacl command are collected -The operating system must generate audit records for successful/unsuccessful uses of the setfacl - command + The operating system must generate audit records for successful/unsuccessful uses of the setfacl + command @@ -27710,15 +27710,15 @@ The operating system must generate audit records for successful/unsuccessful use Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -27735,30 +27735,30 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl - command. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl + command. Example: -# {
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- [ -n "${UID_MIN}" ] && printf "
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
-" >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
+ " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27774,11 +27774,11 @@ Edit or create a file in the Ensure successful and unsuccessful attempts to use the chacl command are collected -The operating system must generate audit records for successful/unsuccessful uses of the chacl - command. + The operating system must generate audit records for successful/unsuccessful uses of the chacl + command. chacl - is an IRIX-compatibility command, and is maintained for those users who are familiar with its use from either XFS or IRIX. + is an IRIX-compatibility command, and is maintained for those users who are familiar with its use from either XFS or IRIX. @@ -27802,21 +27802,21 @@ The operating system must generate audit records for successful/unsuccessful use Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. chacl - changes the ACL(s) for a file or directory. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + changes the ACL(s) for a file or directory. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -27829,30 +27829,30 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl - command. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl + command. Example: -# {
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- [ -n "${UID_MIN}" ] && printf "
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
-" >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng
+ " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27868,8 +27868,8 @@ Edit or create a file in the Ensure successful and unsuccessful attempts to use the usermod command are collected -The operating system must generate audit records for successful/unsuccessful uses of the usermod - command. + The operating system must generate audit records for successful/unsuccessful uses of the usermod + command. @@ -27893,21 +27893,21 @@ The operating system must generate audit records for successful/unsuccessful use Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. -The usermod - command modifies the system account files to reflect the changes that are specified on the command line. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + The usermod + command modifies the system account files to reflect the changes that are specified on the command line. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -27920,30 +27920,30 @@ The usermod Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod - command. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod + command. Example: -# {
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- [ -n "${UID_MIN}" ] && printf "
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod
-" >> /etc/audit/rules.d/50-usermod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + # {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod
+ " >> /etc/audit/rules.d/50-usermod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -27959,29 +27959,29 @@ Edit or create a file in the Ensure kernel module loading unloading and modification is collected -Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod - via symbolic links. + Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod + via symbolic links. The following system calls control loading and unloading of modules: init_module - - load a module + - load a module finit_module - - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) + - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) delete_module - - delete a module + - delete a module create_module - - create a loadable module entry + - create a loadable module entry query_module - - query the kernel for various bits pertaining to modules + - query the kernel for various bits pertaining to modules -Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules -. + Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules + . @@ -28005,15 +28005,15 @@ Any execution of the loading and unloading module programs and system calls will Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. System call structure -For performance ( man 7 audit.rules -) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. + For performance ( man 7 audit.rules + ) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page. @@ -28029,32 +28029,32 @@ For performance ( man 7 audit.ru Create audit rules -Edit or create a file in the /etc/audit/rules.d/ - directory, ending in .rules - extension, with the relevant rules to monitor kernel module modification. + Edit or create a file in the /etc/audit/rules.d/ + directory, ending in .rules + extension, with the relevant rules to monitor kernel module modification. Example: -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
- [ -n "${UID_MIN}" ] && printf "
- -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
- " >> /etc/audit/rules.d/50-kernel_modules.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
-} - + {
+ UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+ [ -n "${UID_MIN}" ] && printf "
+ -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
+ -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
+ " >> /etc/audit/rules.d/50-kernel_modules.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
+ } + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -28075,12 +28075,12 @@ Edit or create a file in the Ensure the audit configuration is immutable -Set system audit so that audit rules cannot be modified with auditctl - . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. + Set system audit so that audit rules cannot be modified with auditctl + . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: - This setting will require the system to be rebooted to update the active auditd - configuration settings. + This setting will require the system to be rebooted to update the active auditd + configuration settings. @@ -28122,23 +28122,23 @@ Set system audit so that audit rules cannot be modified with -Edit or create the file /etc/audit/rules.d/99-finalize.rules - and add the line -e 2 - at the end of the file: + Edit or create the file /etc/audit/rules.d/99-finalize.rules + and add the line -e 2 + at the end of the file: Example: # printf '\n%s' "-e 2" >> /etc/audit/rules.d/99-finalize.rules - + Load audit rules Merge and load the rules into active configuration: # augenrules --load - + Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - + @@ -28156,10 +28156,10 @@ Edit or create the file /etc/ The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: - Due to the limitations of augenrules - and auditctl -, it is not absolutely guaranteed that loading the rule sets via augenrules --load - will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules. + Due to the limitations of augenrules + and auditctl + , it is not absolutely guaranteed that loading the rule sets via augenrules --load + will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules. @@ -28183,9 +28183,9 @@ Edit or create the file /etc/ Potential reboot required -If the auditing configuration is locked ( -e 2 -), then augenrules - will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. + If the auditing configuration is locked ( -e 2 + ), then augenrules + will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration. @@ -28199,10 +28199,10 @@ If the auditing configuration is locked ( # augenrules --load - + Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi - + @@ -28247,7 +28247,7 @@ If the auditing configuration is locked ( # chmod g-w,o-rwx "$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" - + @@ -28291,10 +28291,10 @@ If the auditing configuration is locked ( 0640 - from audit log files: + Run the following command to remove more permissive mode than 0640 + from audit log files: # [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f -perm /0137 -exec chmod u-x,g-wx,o-rwx {} + - + @@ -28339,10 +28339,10 @@ Run the following command to remove more permissive mode than -Run the following command to configure the audit log files to be owned by the root - user: + Run the following command to configure the audit log files to be owned by the root + user: # [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec chown root {} + - + @@ -28386,24 +28386,24 @@ Run the following command to configure the audit log files to be owned by the -Run the following command to configure the audit log files to be owned by adm - group: + Run the following command to configure the audit log files to be owned by adm + group: # find $(dirname $(awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} + - + -Run the following command to configure the audit log files to be owned by the adm - group: + Run the following command to configure the audit log files to be owned by the adm + group: # chgrp adm /var/log/audit/ - + -Run the following command to set the log_group - parameter in the audit configuration file to log_group = adm -: + Run the following command to set the log_group + parameter in the audit configuration file to log_group = adm + : # sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = adm\1/' /etc/audit/auditd.conf - + Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd - + @@ -28449,7 +28449,7 @@ Run the following command to set the # find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} + - + @@ -28499,10 +28499,10 @@ Run the following command to set the root - user: + Run the following command to change ownership to root + user: # find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root -exec chown root {} + - + @@ -28552,10 +28552,10 @@ Run the following command to change ownership to -Run the following command to change group to root -: + Run the following command to change group to root + : # find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root -exec chgrp root {} + - + @@ -28606,7 +28606,7 @@ Run the following command to change group to Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules - + @@ -28683,10 +28683,10 @@ Run the following command to change group to -Run the following command to change the owner of the audit tools to the root - user: + Run the following command to change the owner of the audit tools to the root + user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules - + @@ -28764,10 +28764,10 @@ Run the following command to change the owner of the audit tools to the -Run the following command to change group ownership to the groop root -: + Run the following command to change group ownership to the groop root + : # chgrp root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules - + @@ -28829,8 +28829,8 @@ Run the following command to change group ownership to the groop Ensure permissions on /etc/passwd are configured -The /etc/passwd - file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. + The /etc/passwd + file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. @@ -28852,8 +28852,8 @@ The /etc/passwd -It is critical to ensure that the /etc/passwd - file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/passwd + file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -28862,12 +28862,12 @@ It is critical to ensure that the / -Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd -: + Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd + : -# chmod u-x,go-wx /etc/passwd
-# chown root:root /etc/passwd - + # chmod u-x,go-wx /etc/passwd
+ # chown root:root /etc/passwd + @@ -28895,8 +28895,8 @@ Run the following commands to remove excess permissions, set owner, and set grou Ensure permissions on /etc/passwd- are configured -The /etc/passwd- - file contains backup user account information. + The /etc/passwd- + file contains backup user account information. @@ -28918,8 +28918,8 @@ The /etc/passwd- -It is critical to ensure that the /etc/passwd- - file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/passwd- + file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -28928,12 +28928,12 @@ It is critical to ensure that the / -Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd- -: + Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd- + : -# chmod u-x,go-wx /etc/passwd-
-# chown root:root /etc/passwd- - + # chmod u-x,go-wx /etc/passwd-
+ # chown root:root /etc/passwd- + @@ -28961,8 +28961,8 @@ Run the following commands to remove excess permissions, set owner, and set grou Ensure permissions on /etc/group are configured -The /etc/group - file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. + The /etc/group + file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. @@ -28984,8 +28984,8 @@ The /etc/group -The /etc/group - file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs. + The /etc/group + file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs. @@ -28994,12 +28994,12 @@ The /etc/group -Run the following commands to remove excess permissions, set owner, and set group on /etc/group -: + Run the following commands to remove excess permissions, set owner, and set group on /etc/group + : -# chmod u-x,go-wx /etc/group
-# chown root:root /etc/group - + # chmod u-x,go-wx /etc/group
+ # chown root:root /etc/group + @@ -29027,8 +29027,8 @@ Run the following commands to remove excess permissions, set owner, and set grou Ensure permissions on /etc/group- are configured -The /etc/group- - file contains a backup list of all the valid groups defined in the system. + The /etc/group- + file contains a backup list of all the valid groups defined in the system. @@ -29050,8 +29050,8 @@ The /etc/group- -It is critical to ensure that the /etc/group- - file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/group- + file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -29060,12 +29060,12 @@ It is critical to ensure that the / -Run the following commands to remove excess permissions, set owner, and set group on /etc/group- -: + Run the following commands to remove excess permissions, set owner, and set group on /etc/group- + : -# chmod u-x,go-wx /etc/group-
-# chown root:root /etc/group- - + # chmod u-x,go-wx /etc/group-
+ # chown root:root /etc/group- + @@ -29093,8 +29093,8 @@ Run the following commands to remove excess permissions, set owner, and set grou Ensure permissions on /etc/shadow are configured -The /etc/shadow - file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. + The /etc/shadow + file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. @@ -29116,9 +29116,9 @@ The /etc/shadow -If attackers can gain read access to the /etc/shadow - file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow - file (such as expiration) could also be useful to subvert the user accounts. + If attackers can gain read access to the /etc/shadow + file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow + file (such as expiration) could also be useful to subvert the user accounts. @@ -29127,12 +29127,12 @@ If attackers can gain read access to the /etc/shadow -: + Run the following commands to set mode, owner, and group on /etc/shadow + : -# chown root:root /etc/shadow
-# chmod 0000 /etc/shadow - + # chown root:root /etc/shadow
+ # chmod 0000 /etc/shadow + @@ -29160,8 +29160,8 @@ Run the following commands to set mode, owner, and group on Ensure permissions on /etc/shadow- are configured -The /etc/shadow- - file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. + The /etc/shadow- + file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. @@ -29183,8 +29183,8 @@ The /etc/shadow- -It is critical to ensure that the /etc/shadow- - file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/shadow- + file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -29193,12 +29193,12 @@ It is critical to ensure that the / -Run the following commands to set mode, owner, and group on /etc/shadow- -: + Run the following commands to set mode, owner, and group on /etc/shadow- + : -# chown root:root /etc/shadow-
-# chmod 0000 /etc/shadow- - + # chown root:root /etc/shadow-
+ # chmod 0000 /etc/shadow- + @@ -29226,8 +29226,8 @@ Run the following commands to set mode, owner, and group on Ensure permissions on /etc/gshadow are configured -The /etc/gshadow - file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information. + The /etc/gshadow + file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information. @@ -29249,9 +29249,9 @@ The /etc/gshadow -If attackers can gain read access to the /etc/gshadow - file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow - file (such as group administrators) could also be useful to subvert the group. + If attackers can gain read access to the /etc/gshadow + file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow + file (such as group administrators) could also be useful to subvert the group. @@ -29260,12 +29260,12 @@ If attackers can gain read access to the /etc/gshadow -: + Run the following commands to set mode, owner, and group on /etc/gshadow + : -# chown root:root /etc/gshadow
-# chmod 0000 /etc/gshadow - + # chown root:root /etc/gshadow
+ # chmod 0000 /etc/gshadow + @@ -29293,8 +29293,8 @@ Run the following commands to set mode, owner, and group on Ensure permissions on /etc/gshadow- are configured -The /etc/gshadow- - file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. + The /etc/gshadow- + file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. @@ -29316,8 +29316,8 @@ The /etc/gshadow- -It is critical to ensure that the /etc/gshadow- - file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/gshadow- + file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -29326,12 +29326,12 @@ It is critical to ensure that the / -Run the following commands to set mode, owner, and group on /etc/gshadow- -: + Run the following commands to set mode, owner, and group on /etc/gshadow- + : -# chown root:root /etc/gshadow-
-# chmod 0000 /etc/gshadow- - + # chown root:root /etc/gshadow-
+ # chmod 0000 /etc/gshadow- + @@ -29360,8 +29360,8 @@ Run the following commands to set mode, owner, and group on /etc/shells - is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh - and available to be queried by other programs. + is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh + and available to be queried by other programs. @@ -29383,8 +29383,8 @@ Run the following commands to set mode, owner, and group on -It is critical to ensure that the /etc/shells - file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that the /etc/shells + file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -29393,12 +29393,12 @@ It is critical to ensure that the / -Run the following commands to remove excess permissions, set owner, and set group on /etc/shells -: + Run the following commands to remove excess permissions, set owner, and set group on /etc/shells + : -# chmod u-x,go-wx /etc/shells
-# chown root:root /etc/shells - + # chmod u-x,go-wx /etc/shells
+ # chown root:root /etc/shells + @@ -29427,10 +29427,10 @@ Run the following commands to remove excess permissions, set owner, and set grou /etc/security/opasswd - and it's backup /etc/security/opasswd.old - hold user's previous passwords if pam_unix - or pam_pwhistory - is in use on the system + and it's backup /etc/security/opasswd.old + hold user's previous passwords if pam_unix + or pam_pwhistory + is in use on the system @@ -29452,8 +29452,8 @@ Run the following commands to remove excess permissions, set owner, and set grou -It is critical to ensure that /etc/security/opasswd - is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. + It is critical to ensure that /etc/security/opasswd + is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. @@ -29462,15 +29462,15 @@ It is critical to ensure that /etc/ -Run the following commands to remove excess permissions, set owner, and set group on /etc/security/opasswd - and /etc/security/opasswd.old - is they exist: + Run the following commands to remove excess permissions, set owner, and set group on /etc/security/opasswd + and /etc/security/opasswd.old + is they exist: -# [ -e "/etc/security/opasswd" ] && chmod u-x,go-rwx /etc/security/opasswd
-# [ -e "/etc/security/opasswd" ] && chown root:root /etc/security/opasswd
-# [ -e "/etc/security/opasswd.old" ] && chmod u-x,go-rwx /etc/security/opasswd.old
-# [ -e "/etc/security/opasswd.old" ] && chown root:root /etc/security/opasswd.old - + # [ -e "/etc/security/opasswd" ] && chmod u-x,go-rwx /etc/security/opasswd
+ # [ -e "/etc/security/opasswd" ] && chown root:root /etc/security/opasswd
+ # [ -e "/etc/security/opasswd.old" ] && chmod u-x,go-rwx /etc/security/opasswd.old
+ # [ -e "/etc/security/opasswd.old" ] && chown root:root /etc/security/opasswd.old + @@ -29519,8 +29519,8 @@ Run the following commands to remove excess permissions, set owner, and set grou Ensure world writable files and directories are secured -World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) - man page for more information. + World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) + man page for more information. Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them. @@ -29544,8 +29544,8 @@ World writable files are the least secure. Data in world-writable files can be m Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. -This feature prevents the ability to delete or rename files in world writable directories (such as /tmp - ) that are owned by another user. + This feature prevents the ability to delete or rename files in world writable directories (such as /tmp + ) that are owned by another user. @@ -29555,20 +29555,20 @@ This feature prevents the ability to delete or rename files in world writable di -World Writable Files: - + World Writable Files: + -It is recommended that write access is removed from other - with the command ( chmod o-w <filename> - ), but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. + It is recommended that write access is removed from other + with the command ( chmod o-w <filename> + ), but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. -World Writable Directories: - + World Writable Directories: + -Set the sticky bit on all world writable directories with the command ( chmod a+t <directory_name> - ) + Set the sticky bit on all world writable directories with the command ( chmod a+t <directory_name> + ) @@ -29578,31 +29578,31 @@ Set the sticky bit on all world writable directories with the command ( Add the sticky bit to all world writable directories -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_smask='01000'
- a_file=(); a_dir=() # Initialize arrays
- a_path=(! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/*" -a ! -path "/snap/*")
- while IFS= read -r l_mount; do
- while IFS= read -r -d $'\0' l_file; do
- if [ -e "$l_file" ]; then
- l_mode="$(stat -Lc '%#a' "$l_file")"
- if [ -f "$l_file" ]; then # Remove excess permissions from WW files
- echo -e " - File: \"$l_file\" is mode: \"$l_mode\"\n - removing write permission on \"$l_file\" from \"other\""
- chmod o-w "$l_file"
- fi
- if [ -d "$l_file" ]; then # Add sticky bit
- if [ ! $(( $l_mode & $l_smask )) -gt 0 ]; then
- echo -e " - Directory: \"$l_file\" is mode: \"$l_mode\" and doesn't have the sticky bit set\n - Adding the sticky bit"
- chmod a+t "$l_file"
- fi
- fi
- fi
- done < <(find "$l_mount" -xdev \( "${a_path[@]}" \) \( -type f -o -type d \) -perm -0002 -print0 2> /dev/null)
- done < <(findmnt -Dkerno fstype,target | awk '($1 !~ /^\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ /^(\/run\/user\/|\/tmp|\/var\/tmp)/){print $2}')
-} - + {
+ l_smask='01000'
+ a_file=(); a_dir=() # Initialize arrays
+ a_path=(! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/*" -a ! -path "/snap/*")
+ while IFS= read -r l_mount; do
+ while IFS= read -r -d $'\0' l_file; do
+ if [ -e "$l_file" ]; then
+ l_mode="$(stat -Lc '%#a' "$l_file")"
+ if [ -f "$l_file" ]; then # Remove excess permissions from WW files
+ echo -e " - File: \"$l_file\" is mode: \"$l_mode\"\n - removing write permission on \"$l_file\" from \"other\""
+ chmod o-w "$l_file"
+ fi
+ if [ -d "$l_file" ]; then # Add sticky bit
+ if [ ! $(( $l_mode & $l_smask )) -gt 0 ]; then
+ echo -e " - Directory: \"$l_file\" is mode: \"$l_mode\" and doesn't have the sticky bit set\n - Adding the sticky bit"
+ chmod a+t "$l_file"
+ fi
+ fi
+ fi
+ done < <(find "$l_mount" -xdev \( "${a_path[@]}" \) \( -type f -o -type d \) -perm -0002 -print0 2> /dev/null)
+ done < <(findmnt -Dkerno fstype,target | awk '($1 !~ /^\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ /^(\/run\/user\/|\/tmp|\/var\/tmp)/){print $2}')
+ } + @@ -29700,16 +29700,16 @@ Set the sticky bit on all world writable directories with the command ( This section provides guidance on securing aspects of the local users and groups. Note: - The recommendations in this section check local users and groups. Any users or groups from other sources such as LDAP will not be audited. In a domain environment similar checks should be performed against domain users and groups. + The recommendations in this section check local users and groups. Any users or groups from other sources such as LDAP will not be audited. In a domain environment similar checks should be performed against domain users and groups. Ensure accounts in /etc/passwd use shadowed passwords -Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow -, encrypted by a salted one-way hash. Accounts with a shadowed password have an x - in the second field in /etc/passwd -. + Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow + , encrypted by a salted one-way hash. Accounts with a shadowed password have an x + in the second field in /etc/passwd + . @@ -29730,73 +29730,73 @@ Local accounts can uses shadowed passwords. With shadowed passwords, The passwo -The pwconv - command creates shadow from passwd - and an optionally existing shadow -. + The pwconv + command creates shadow from passwd + and an optionally existing shadow + . -The pwunconv - command creates passwd - from passwd - and shadow - and then removes shadow -. + The pwunconv + command creates passwd + from passwd + and shadow + and then removes shadow + . -The grpconv - command creates gshadow - from group - and an optionally existing gshadow -. + The grpconv + command creates gshadow + from group + and an optionally existing gshadow + . -The grpunconv - command creates group - from group - and gshadow - and then removes gshadow -. + The grpunconv + command creates group + from group + and gshadow + and then removes gshadow + . -These four programs all operate on the normal and shadow password and group files: /etc/passwd -, /etc/group -, /etc/shadow -, and /etc/gshadow -. + These four programs all operate on the normal and shadow password and group files: /etc/passwd + , /etc/group + , /etc/shadow + , and /etc/gshadow + . -Each program acquires the necessary locks before conversion. pwconv - and grpconv - are similar. First, entries in the shadowed file which don't exist in the main file are removed. Then, shadowed entries which don't have x' as the password in the main file are updated. Any missing shadowed entries are added. Finally, passwords in the main file are replaced with -x'. These programs can be used for initial conversion as well to update the shadowed file if the main file is edited by hand. + Each program acquires the necessary locks before conversion. pwconv + and grpconv + are similar. First, entries in the shadowed file which don't exist in the main file are removed. Then, shadowed entries which don't have x' as the password in the main file are updated. Any missing shadowed entries are added. Finally, passwords in the main file are replaced with + x'. These programs can be used for initial conversion as well to update the shadowed file if the main file is edited by hand. pwconv - will use the values of PASS_MIN_DAYS -, PASS_MAX_DAYS -, and PASS_WARN_AGE - from /etc/login.defs when adding new entries to /etc/shadow. + will use the values of PASS_MIN_DAYS + , PASS_MAX_DAYS + , and PASS_WARN_AGE + from /etc/login.defs when adding new entries to /etc/shadow. pwunconv - and grpunconv - are similar. Passwords in the main file are updated from the shadowed file. Entries which exist in the main file but not in the shadowed file are left alone. Finally, the shadowed file is removed. Some password aging information is lost by pwunconv -. It will convert what it can. + and grpunconv + are similar. Passwords in the main file are updated from the shadowed file. Entries which exist in the main file but not in the shadowed file are left alone. Finally, the shadowed file is removed. Some password aging information is lost by pwunconv + . It will convert what it can. -The /etc/passwd - file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd - file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd - file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd - file to /etc/shadow -. The /etc/shadow - file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. + The /etc/passwd + file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd + file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd + file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd + file to /etc/shadow + . The /etc/shadow + file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. -A user account with an empty second field in /etc/passwd - allows the account to be logged into by providing only the username. + A user account with an empty second field in /etc/passwd + allows the account to be logged into by providing only the username. @@ -29807,11 +29807,11 @@ A user account with an empty second field in /etc/passwd - to /etc/shadow -: + Run the following command to set accounts to use shadowed passwords and migrate passwords in /etc/passwd + to /etc/shadow + : # pwconv - + Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off. @@ -29855,10 +29855,10 @@ Run the following command to set accounts to use shadowed passwords and migrate -If any accounts in the /etc/shadow - file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: + If any accounts in the /etc/shadow + file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> - + Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off. @@ -29874,9 +29874,9 @@ If any accounts in the /etc/sha Ensure all groups in /etc/passwd exist in /etc/group -Over time, system administration errors and changes can lead to groups being defined in /etc/passwd - but not in /etc/group - . + Over time, system administration errors and changes can lead to groups being defined in /etc/passwd + but not in /etc/group + . @@ -29896,9 +29896,9 @@ Over time, system administration errors and changes can lead to groups being def -Groups defined in the /etc/passwd - file but not in the /etc/group - file pose a threat to system security since group permissions are not properly managed. + Groups defined in the /etc/passwd + file but not in the /etc/group + file pose a threat to system security since group permissions are not properly managed. @@ -29921,9 +29921,9 @@ Groups defined in the /etc/passwdEnsure no duplicate UIDs exist -Although the useradd - program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd - file and change the UID field. + Although the useradd + program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd + file and change the UID field. Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. @@ -29947,16 +29947,16 @@ Although the useradd Ensure no duplicate GIDs exist -Although the groupadd - program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group - file and change the GID field. + Although the groupadd + program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group + file and change the GID field. -You can also use the grpck - command to check for other inconsistencies in the /etc/group - file. + You can also use the grpck + command to check for other inconsistencies in the /etc/group + file. @@ -29981,14 +29981,14 @@ You can also use the grpckEnsure no duplicate user names exist -Although the useradd - program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd - file and change the user name. + Although the useradd + program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd + file and change the user name. -If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in /etc/passwd - . For example, if "test4" has a UID of 1000 and a subsequent "test4" entry has a UID of 2000, logging in as "test4" will use UID 1000. Effectively, the UID is shared, which is a security problem. + If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in /etc/passwd + . For example, if "test4" has a UID of 1000 and a subsequent "test4" entry has a UID of 2000, logging in as "test4" will use UID 1000. Effectively, the UID is shared, which is a security problem. NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 @@ -30009,14 +30009,14 @@ If a user is assigned a duplicate user name, it will create and have access to f Ensure no duplicate group names exist -Although the groupadd - program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group - file and change the group name. + Although the groupadd + program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group + file and change the group name. -If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in /etc/group - . Effectively, the GID is shared, which is a security problem. + If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in /etc/group + . Effectively, the GID is shared, which is a security problem. NIST SP 800-53 Rev. 5: CM-1, CM-2, CM-6, CM-7, IA-5 @@ -30037,8 +30037,8 @@ If a group is assigned a duplicate group name, it will create and have access to Ensure local interactive user home directories are configured -The user home directory is space defined for the particular user to set local environment variables and to store personal files. While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Users can be defined in /etc/passwd - without a home directory or with a home directory that does not actually exist. + The user home directory is space defined for the particular user to set local environment variables and to store personal files. While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Users can be defined in /etc/passwd + without a home directory or with a home directory that does not actually exist. @@ -30071,8 +30071,8 @@ The user home directory is space defined for the particular user to set local en Lock the user account Remove the user from the system -create a directory for the user. If undefined, edit /etc/passwd - and add the absolute path to the directory to the last field of the user. + create a directory for the user. If undefined, edit /etc/passwd + and add the absolute path to the directory to the last field of the user. Run the following script to: @@ -30080,42 +30080,42 @@ create a directory for the user. If undefined, edit Update the home directory's owner -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- l_output2=""
- l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
- unset a_uarr && a_uarr=() # Clear and initialize array
- while read -r l_epu l_eph; do # Populate array with users and user home location
- a_uarr+=("$l_epu $l_eph")
- done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
- l_asize="${#a_uarr[@]}" # Here if we want to look at number of users before proceeding
- [ "$l_asize " -gt "10000" ] && echo -e "\n ** INFO **\n - \"$l_asize\" Local interactive users found on the system\n - This may be a long running process\n"
- while read -r l_user l_home; do
- if [ -d "$l_home" ]; then
- l_mask='0027'
- l_max="$( printf '%o' $(( 0777 & ~$l_mask)) )"
- while read -r l_own l_mode; do
- if [ "$l_user" != "$l_own" ]; then
- l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" is owned by: \"$l_own\"\n - changing ownership to: \"$l_user\"\n"
- chown "$l_user" "$l_home"
- fi
- if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
- l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" is mode: \"$l_mode\" should be mode: \"$l_max\" or more restrictive\n - removing excess permissions\n"
- chmod g-w,o-rwx "$l_home"
- fi
- done <<< "$(stat -Lc '%U %#a' "$l_home")"
- else
- l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" Doesn't exist\n - Please create a home in accordance with local site policy"
- fi
- done <<< "$(printf '%s\n' "${a_uarr[@]}")"
- if [ -z "$l_output2" ]; then # If l_output2 is empty, we pass
- echo -e " - No modification needed to local interactive users home directories"
- else
- echo -e "\n$l_output2"
- fi
-} - + {
+ l_output2=""
+ l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
+ unset a_uarr && a_uarr=() # Clear and initialize array
+ while read -r l_epu l_eph; do # Populate array with users and user home location
+ a_uarr+=("$l_epu $l_eph")
+ done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
+ l_asize="${#a_uarr[@]}" # Here if we want to look at number of users before proceeding
+ [ "$l_asize " -gt "10000" ] && echo -e "\n ** INFO **\n - \"$l_asize\" Local interactive users found on the system\n - This may be a long running process\n"
+ while read -r l_user l_home; do
+ if [ -d "$l_home" ]; then
+ l_mask='0027'
+ l_max="$( printf '%o' $(( 0777 & ~$l_mask)) )"
+ while read -r l_own l_mode; do
+ if [ "$l_user" != "$l_own" ]; then
+ l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" is owned by: \"$l_own\"\n - changing ownership to: \"$l_user\"\n"
+ chown "$l_user" "$l_home"
+ fi
+ if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
+ l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" is mode: \"$l_mode\" should be mode: \"$l_max\" or more restrictive\n - removing excess permissions\n"
+ chmod g-w,o-rwx "$l_home"
+ fi
+ done <<< "$(stat -Lc '%U %#a' "$l_home")"
+ else
+ l_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\" Doesn't exist\n - Please create a home in accordance with local site policy"
+ fi
+ done <<< "$(printf '%s\n' "${a_uarr[@]}")"
+ if [ -z "$l_output2" ]; then # If l_output2 is empty, we pass
+ echo -e " - No modification needed to local interactive users home directories"
+ else
+ echo -e "\n$l_output2"
+ fi
+ } + @@ -30133,16 +30133,16 @@ create a directory for the user. If undefined, edit .forward - file specifies an email address to forward the user's mail to. + file specifies an email address to forward the user's mail to. .rhost - file provides the "remote authentication" database for the rcp, rlogin, and rsh commands and the rcmd() function. These files bypass the standard password-based user authentication mechanism. They specify remote hosts and users that are considered trusted (i.e. are allowed to access the local system without supplying a password) + file provides the "remote authentication" database for the rcp, rlogin, and rsh commands and the rcmd() function. These files bypass the standard password-based user authentication mechanism. They specify remote hosts and users that are considered trusted (i.e. are allowed to access the local system without supplying a password) .netrc - file contains data for logging into a remote host or passing authentication to an API. + file contains data for logging into a remote host or passing authentication to an API. .bash_history - file keeps track of the user’s commands. + file keeps track of the user’s commands. @@ -30176,81 +30176,81 @@ create a directory for the user. If undefined, edit The following script will: -remove excessive permissions on dot - files within interactive users' home directories + remove excessive permissions on dot + files within interactive users' home directories -change ownership of dot - files within interactive users' home directories to the user + change ownership of dot + files within interactive users' home directories to the user -change group ownership of dot - files within interactive users' home directories to the user's primary group + change group ownership of dot + files within interactive users' home directories to the user's primary group -list .forward - and .rhost - files to be investigated and manually deleted + list .forward + and .rhost + files to be investigated and manually deleted -#!/usr/bin/env bash
+ #!/usr/bin/env bash

-{
- a_output2=(); a_output3=()
- l_maxsize="1000" # Maximum number of local interactive users before warning (Default 1,000)
- l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
- a_user_and_home=() # Create array with local users and their home directories
- while read -r l_local_user l_local_user_home; do # Populate array with users and user home location
- [[ -n "$l_local_user" && -n "$l_local_user_home" ]] && a_user_and_home+=("$l_local_user:$l_local_user_home")
- done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
- l_asize="${#a_user_and_home[@]}" # Here if we want to look at number of users before proceeding
- [ "${#a_user_and_home[@]}" -gt "$l_maxsize" ] && printf '%s\n' "" " ** INFO **" \
- " - \"$l_asize\" Local interactive users found on the system" \
- " - This may be a long running check" ""
- file_access_fix()
- {
- a_access_out=()
- l_max="$( printf '%o' $(( 0777 & ~$l_mask)) )"
- if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
- printf '%s\n' "" " - File: \"$l_hdfile\" is mode: \"$l_mode\" and should be mode: \"$l_max\" or more restrictive" \
- " Updating file: \"$l_hdfile\" to be mode: \"$l_max\" or more restrictive"
- chmod "$l_change" "$l_hdfile"
- fi
- if [[ ! "$l_owner" =~ ($l_user) ]]; then
- printf '%s\n' "" " - File: \"$l_hdfile\" owned by: \"$l_owner\" and should be owned by \"${l_user//|/ or }\"" \
- " Updating file: \"$l_hdfile\" to be owned by \"${l_user//|/ or }\""
- chown "$l_user" "$l_hdfile"
- fi
- if [[ ! "$l_gowner" =~ ($l_group) ]]; then
- printf '%s\n' "" " - File: \"$l_hdfile\" group owned by: \"$l_gowner\" and should be group owned by \"${l_group//|/ or }\"" \
- " Updating file: \"$l_hdfile\" to be group owned by \"${l_group//|/ or }\""
- chgrp "$l_group" "$l_hdfile"
- fi
- }
- while IFS=: read -r l_user l_home; do
- a_dot_file=(); a_netrc=(); a_netrc_warn=(); a_bhout=(); a_hdirout=()
- if [ -d "$l_home" ]; then
- l_group="$(id -gn "$l_user" | xargs)";l_group="${l_group// /|}"
- while IFS= read -r -d $'\0' l_hdfile; do
- while read -r l_mode l_owner l_gowner; do
- case "$(basename "$l_hdfile")" in
- .forward | .rhost )
- a_dot_file+=(" - File: \"$l_hdfile\" exists" " Please review and manually delete this file") ;;
- .netrc )
- l_mask='0177'; l_change="u-x,go-rwx"; file_access_fix
- a_netrc_warn+=(" - File: \"$l_hdfile\" exists") ;;
- .bash_history )
- l_mask='0177'; l_change="u-x,go-rwx"; file_access_fix ;;
- * )
- l_mask='0133'; l_change="u-x,go-wx"; file_access_fix ;;
- esac
- done < <(stat -Lc '%#a %U %G' "$l_hdfile")
- done < <(find "$l_home" -xdev -type f -name '.*' -print0)
- fi
- [ "${#a_dot_file[@]}" -gt 0 ] && a_output2+=(" - User: \"$l_user\" Home Directory: \"$l_home\"" "${a_dot_file[@]}")
- [ "${#a_netrc_warn[@]}" -gt 0 ] && a_output3+=(" - User: \"$l_user\" Home Directory: \"$l_home\"" "${a_netrc_warn[@]}")
- done <<< "$(printf '%s\n' "${a_user_and_home[@]}")"
- [ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " ** WARNING **" "${a_output3[@]}" ""
- [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}"
-} - + {
+ a_output2=(); a_output3=()
+ l_maxsize="1000" # Maximum number of local interactive users before warning (Default 1,000)
+ l_valid_shells="^($( awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
+ a_user_and_home=() # Create array with local users and their home directories
+ while read -r l_local_user l_local_user_home; do # Populate array with users and user home location
+ [[ -n "$l_local_user" && -n "$l_local_user_home" ]] && a_user_and_home+=("$l_local_user:$l_local_user_home")
+ done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
+ l_asize="${#a_user_and_home[@]}" # Here if we want to look at number of users before proceeding
+ [ "${#a_user_and_home[@]}" -gt "$l_maxsize" ] && printf '%s\n' "" " ** INFO **" \
+ " - \"$l_asize\" Local interactive users found on the system" \
+ " - This may be a long running check" ""
+ file_access_fix()
+ {
+ a_access_out=()
+ l_max="$( printf '%o' $(( 0777 & ~$l_mask)) )"
+ if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
+ printf '%s\n' "" " - File: \"$l_hdfile\" is mode: \"$l_mode\" and should be mode: \"$l_max\" or more restrictive" \
+ " Updating file: \"$l_hdfile\" to be mode: \"$l_max\" or more restrictive"
+ chmod "$l_change" "$l_hdfile"
+ fi
+ if [[ ! "$l_owner" =~ ($l_user) ]]; then
+ printf '%s\n' "" " - File: \"$l_hdfile\" owned by: \"$l_owner\" and should be owned by \"${l_user//|/ or }\"" \
+ " Updating file: \"$l_hdfile\" to be owned by \"${l_user//|/ or }\""
+ chown "$l_user" "$l_hdfile"
+ fi
+ if [[ ! "$l_gowner" =~ ($l_group) ]]; then
+ printf '%s\n' "" " - File: \"$l_hdfile\" group owned by: \"$l_gowner\" and should be group owned by \"${l_group//|/ or }\"" \
+ " Updating file: \"$l_hdfile\" to be group owned by \"${l_group//|/ or }\""
+ chgrp "$l_group" "$l_hdfile"
+ fi
+ }
+ while IFS=: read -r l_user l_home; do
+ a_dot_file=(); a_netrc=(); a_netrc_warn=(); a_bhout=(); a_hdirout=()
+ if [ -d "$l_home" ]; then
+ l_group="$(id -gn "$l_user" | xargs)";l_group="${l_group// /|}"
+ while IFS= read -r -d $'\0' l_hdfile; do
+ while read -r l_mode l_owner l_gowner; do
+ case "$(basename "$l_hdfile")" in
+ .forward | .rhost )
+ a_dot_file+=(" - File: \"$l_hdfile\" exists" " Please review and manually delete this file") ;;
+ .netrc )
+ l_mask='0177'; l_change="u-x,go-rwx"; file_access_fix
+ a_netrc_warn+=(" - File: \"$l_hdfile\" exists") ;;
+ .bash_history )
+ l_mask='0177'; l_change="u-x,go-rwx"; file_access_fix ;;
+ * )
+ l_mask='0133'; l_change="u-x,go-wx"; file_access_fix ;;
+ esac
+ done < <(stat -Lc '%#a %U %G' "$l_hdfile")
+ done < <(find "$l_home" -xdev -type f -name '.*' -print0)
+ fi
+ [ "${#a_dot_file[@]}" -gt 0 ] && a_output2+=(" - User: \"$l_user\" Home Directory: \"$l_home\"" "${a_dot_file[@]}")
+ [ "${#a_netrc_warn[@]}" -gt 0 ] && a_output3+=(" - User: \"$l_user\" Home Directory: \"$l_home\"" "${a_netrc_warn[@]}")
+ done <<< "$(printf '%s\n' "${a_user_and_home[@]}")"
+ [ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " ** WARNING **" "${a_output3[@]}" ""
+ [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}"
+ } + @@ -30263,78 +30263,78 @@ list .forward - - - - - - - - - - -Ol1MzJU3Q9rKswRJLjQ7qdJgKKYhqeqlvCQ1NbeH3hw= - - - -yI5XYzHOFbuQLkpppMH3gTDFHYcM8Dn7E5fTcqr5CVFTGyTXkCz2pVLzM8bLUzz+GfzA6Yd1uLDi -5zAWcJln2boGtMAUDXG3YiIuGDDiht4MXV3Pdcz1YbnYDcN4HDw0aPf7RA2cvu4ZKSLt4Uq6iWVK -Gd2zAgfq+qVxIyk5khmIt2RTnkGu2V9xZui9qoU2/yXH2sbDdd4cQvGGHNiJx/RYI6HyYBUXTpqm -e3e2gNzHsGGZQ+GYAO2DgC5r6cZQyM2OqRj3EzjsNaEkKoP0+LBREBc1FPiN9cZgCAE9rOPFeVvZ -TWpF2gc+Af4o3imjlxNhjiLdZJMpDMdQRzC9FVroJJD4DIIJeWJyK7O2gwUAl5OOsVeHJkJN5epd -/98hEDFdDGDiFW/zEZD0gYj4S+H15ZbCKWo7ayyzOu9+yDm1YAzJVBYww1B0uEDEsBts5+KdOEyR -MKhoVSgYEQuZlBeHjtEUF/pqBkIH3eqD32jh9YpkjZ5oirbIG/Ofne3m - - - - -MIIHbDCCBVSgAwIBAgIQCdceADCnzKkglkQGavVKYzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQG -EwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQg -RzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTAxODAwMDAwMFoX -DTI2MTAxODIzNTk1OVowgfQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI -TWFyeWxhbmQxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwlEMDYwNTg4 -MTIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEXMBUGA1UEBxMORWFzdCBHcmVlbmJ1 -c2gxKjAoBgNVBAoTIUNlbnRlciBmb3IgSW50ZXJuZXQgU2VjdXJpdHksIEluYzEqMCgGA1UEAxMh -Q2VudGVyIGZvciBJbnRlcm5ldCBTZWN1cml0eSwgSW5jMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A -MIIBigKCAYEAyZwTJr4Kb7QEDnVY3BEkPoS3fn+XoxhCTfFvlMk8zXDcR4pFMgPkXTrZ1KbENUIV -skIhy1vmnh61vwSL0lcdzesCekKSxLqrEA4xunZk1MB5mLbHXchSSpI1co1vaSzJjkTYP1UsUVQz -NoOzV0LNCoZdahjGTHSduWvbrHTEeD6/jvUj3AVWrTx6krzgYA3ozAxtUnapK7IrZERuGOSwTrgR -Lr1aieQdFy8haW1YL+ks5HmLRvcoGp+J68GX/zfMTduvWxhcpXm4txKc4iJqGCRmyBU2XjGjpDBX -ndxHgT4edRLz5PwWSeZUh8/tWOGFwnVw7njoOa0sFixy96H2BqEn+yPeRALyf59rjtPL66tsXuaA -ilB63yqbH42mnkxHTX5zcEm337GzTOGRccsYzN/ApVuXDeMfsO+sSUosrimnxm9QTOyKcex5h1As -rxBVfTw+Zf7jP1YRlmMlGPG1zffK2KjJhD6ivFi2sIDThEQLxIAC8XOjp2ZXvhx87yNTAgMBAAGj -ggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUX2/J9FT5 -5BNF7JqfAl9SJkv3pf0wPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8v -d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMD -MIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRy -dXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8v -Y3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEz -ODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw -LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp -Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0T -BAIwADANBgkqhkiG9w0BAQsFAAOCAgEASLOHf1FQ7TrGqEoVXYoeNSkRWdVCUGd1JCDs7Hb9sLd3 -eQuipZ4EorQS/9qMiVMhmlJfF75sNVQhr1K5UtjrDRFMTzYmh78hAyovowzgyVKdGFqiVVr5m+mb -vVyglLlA4V076LMBaKRknm1Dt8r0/5GSRCrkP2origpYMMaocN+iBX9+MImnh3J1Ehn0nRUhW86Q -mt3/YCVIaQZisv+KmOxyAq1m6fiIYIvXY+cH2dDIheoVteb/NjYnKVqE6xTpOsxF16pykXiM9yk3 -Q9nlJS36KEGRP4wrySU4eIBnTcv4mimZjkWj6bIvk8otNJ14FbyltaPwIc3dE3oPGfSmCrkxs73j -iqBs2TXLvblEmOhY8ko3xVdTm0zMP50MQVO948fz9yF+xdnPdMPT1/lCmGp6iWYRzxnvEkA1+HFl -yy9YztrM8WNAhXirpUZg3HWQE2ONLKMtqQrkIHD2nikda77flk6oirqDuCf8Q7g8s86/KabTdxrw -pRmsRjDkAfKVae58ctaKbmF32oU9BGk+9MPG8HF5Yfoh12DE1fLZcPzZrROrDFJGGxwhv5FlnxGg -6G7jKi68erZnpaOPayK0bXyZNunqkI9IbIuPqMw5qaCZZgN6AEHIbGTKdrWEf11DmR7MdTjv3/vu -JWtIXgk3kQFX27w9JhqV6QogVmzIfEQ= - - - - -yZwTJr4Kb7QEDnVY3BEkPoS3fn+XoxhCTfFvlMk8zXDcR4pFMgPkXTrZ1KbENUIVskIhy1vmnh61 -vwSL0lcdzesCekKSxLqrEA4xunZk1MB5mLbHXchSSpI1co1vaSzJjkTYP1UsUVQzNoOzV0LNCoZd -ahjGTHSduWvbrHTEeD6/jvUj3AVWrTx6krzgYA3ozAxtUnapK7IrZERuGOSwTrgRLr1aieQdFy8h -aW1YL+ks5HmLRvcoGp+J68GX/zfMTduvWxhcpXm4txKc4iJqGCRmyBU2XjGjpDBXndxHgT4edRLz -5PwWSeZUh8/tWOGFwnVw7njoOa0sFixy96H2BqEn+yPeRALyf59rjtPL66tsXuaAilB63yqbH42m -nkxHTX5zcEm337GzTOGRccsYzN/ApVuXDeMfsO+sSUosrimnxm9QTOyKcex5h1AsrxBVfTw+Zf7j -P1YRlmMlGPG1zffK2KjJhD6ivFi2sIDThEQLxIAC8XOjp2ZXvhx87yNT -AQAB - - - - \ No newline at end of file + + + + + + + + + + + Ol1MzJU3Q9rKswRJLjQ7qdJgKKYhqeqlvCQ1NbeH3hw= + + + + yI5XYzHOFbuQLkpppMH3gTDFHYcM8Dn7E5fTcqr5CVFTGyTXkCz2pVLzM8bLUzz+GfzA6Yd1uLDi + 5zAWcJln2boGtMAUDXG3YiIuGDDiht4MXV3Pdcz1YbnYDcN4HDw0aPf7RA2cvu4ZKSLt4Uq6iWVK + Gd2zAgfq+qVxIyk5khmIt2RTnkGu2V9xZui9qoU2/yXH2sbDdd4cQvGGHNiJx/RYI6HyYBUXTpqm + e3e2gNzHsGGZQ+GYAO2DgC5r6cZQyM2OqRj3EzjsNaEkKoP0+LBREBc1FPiN9cZgCAE9rOPFeVvZ + TWpF2gc+Af4o3imjlxNhjiLdZJMpDMdQRzC9FVroJJD4DIIJeWJyK7O2gwUAl5OOsVeHJkJN5epd + /98hEDFdDGDiFW/zEZD0gYj4S+H15ZbCKWo7ayyzOu9+yDm1YAzJVBYww1B0uEDEsBts5+KdOEyR + MKhoVSgYEQuZlBeHjtEUF/pqBkIH3eqD32jh9YpkjZ5oirbIG/Ofne3m + + + + + MIIHbDCCBVSgAwIBAgIQCdceADCnzKkglkQGavVKYzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQG + EwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQg + RzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTAxODAwMDAwMFoX + DTI2MTAxODIzNTk1OVowgfQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI + TWFyeWxhbmQxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwlEMDYwNTg4 + MTIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEXMBUGA1UEBxMORWFzdCBHcmVlbmJ1 + c2gxKjAoBgNVBAoTIUNlbnRlciBmb3IgSW50ZXJuZXQgU2VjdXJpdHksIEluYzEqMCgGA1UEAxMh + Q2VudGVyIGZvciBJbnRlcm5ldCBTZWN1cml0eSwgSW5jMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A + MIIBigKCAYEAyZwTJr4Kb7QEDnVY3BEkPoS3fn+XoxhCTfFvlMk8zXDcR4pFMgPkXTrZ1KbENUIV + skIhy1vmnh61vwSL0lcdzesCekKSxLqrEA4xunZk1MB5mLbHXchSSpI1co1vaSzJjkTYP1UsUVQz + NoOzV0LNCoZdahjGTHSduWvbrHTEeD6/jvUj3AVWrTx6krzgYA3ozAxtUnapK7IrZERuGOSwTrgR + Lr1aieQdFy8haW1YL+ks5HmLRvcoGp+J68GX/zfMTduvWxhcpXm4txKc4iJqGCRmyBU2XjGjpDBX + ndxHgT4edRLz5PwWSeZUh8/tWOGFwnVw7njoOa0sFixy96H2BqEn+yPeRALyf59rjtPL66tsXuaA + ilB63yqbH42mnkxHTX5zcEm337GzTOGRccsYzN/ApVuXDeMfsO+sSUosrimnxm9QTOyKcex5h1As + rxBVfTw+Zf7jP1YRlmMlGPG1zffK2KjJhD6ivFi2sIDThEQLxIAC8XOjp2ZXvhx87yNTAgMBAAGj + ggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUX2/J9FT5 + 5BNF7JqfAl9SJkv3pf0wPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8v + d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMD + MIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRy + dXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8v + Y3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEz + ODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw + LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp + Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0T + BAIwADANBgkqhkiG9w0BAQsFAAOCAgEASLOHf1FQ7TrGqEoVXYoeNSkRWdVCUGd1JCDs7Hb9sLd3 + eQuipZ4EorQS/9qMiVMhmlJfF75sNVQhr1K5UtjrDRFMTzYmh78hAyovowzgyVKdGFqiVVr5m+mb + vVyglLlA4V076LMBaKRknm1Dt8r0/5GSRCrkP2origpYMMaocN+iBX9+MImnh3J1Ehn0nRUhW86Q + mt3/YCVIaQZisv+KmOxyAq1m6fiIYIvXY+cH2dDIheoVteb/NjYnKVqE6xTpOsxF16pykXiM9yk3 + Q9nlJS36KEGRP4wrySU4eIBnTcv4mimZjkWj6bIvk8otNJ14FbyltaPwIc3dE3oPGfSmCrkxs73j + iqBs2TXLvblEmOhY8ko3xVdTm0zMP50MQVO948fz9yF+xdnPdMPT1/lCmGp6iWYRzxnvEkA1+HFl + yy9YztrM8WNAhXirpUZg3HWQE2ONLKMtqQrkIHD2nikda77flk6oirqDuCf8Q7g8s86/KabTdxrw + pRmsRjDkAfKVae58ctaKbmF32oU9BGk+9MPG8HF5Yfoh12DE1fLZcPzZrROrDFJGGxwhv5FlnxGg + 6G7jKi68erZnpaOPayK0bXyZNunqkI9IbIuPqMw5qaCZZgN6AEHIbGTKdrWEf11DmR7MdTjv3/vu + JWtIXgk3kQFX27w9JhqV6QogVmzIfEQ= + + + + + yZwTJr4Kb7QEDnVY3BEkPoS3fn+XoxhCTfFvlMk8zXDcR4pFMgPkXTrZ1KbENUIVskIhy1vmnh61 + vwSL0lcdzesCekKSxLqrEA4xunZk1MB5mLbHXchSSpI1co1vaSzJjkTYP1UsUVQzNoOzV0LNCoZd + ahjGTHSduWvbrHTEeD6/jvUj3AVWrTx6krzgYA3ozAxtUnapK7IrZERuGOSwTrgRLr1aieQdFy8h + aW1YL+ks5HmLRvcoGp+J68GX/zfMTduvWxhcpXm4txKc4iJqGCRmyBU2XjGjpDBXndxHgT4edRLz + 5PwWSeZUh8/tWOGFwnVw7njoOa0sFixy96H2BqEn+yPeRALyf59rjtPL66tsXuaAilB63yqbH42m + nkxHTX5zcEm337GzTOGRccsYzN/ApVuXDeMfsO+sSUosrimnxm9QTOyKcex5h1AsrxBVfTw+Zf7j + P1YRlmMlGPG1zffK2KjJhD6ivFi2sIDThEQLxIAC8XOjp2ZXvhx87yNT + AQAB + + + + \ No newline at end of file diff --git a/test/sample_data/xccdf/input/CIS/Microsoft_Benchmark-xccdf.xml b/test/sample_data/xccdf/input/CIS/Microsoft_Benchmark-xccdf.xml new file mode 100644 index 0000000..defa3d7 --- /dev/null +++ b/test/sample_data/xccdf/input/CIS/Microsoft_Benchmark-xccdf.xml @@ -0,0 +1,4405 @@ + + interim + CIS Microsoft IIS 10 Benchmark + + This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows IIS 10. + +This secure configuration guide is based on Microsoft Windows IIS 10 + and is intended for all versions of Microsoft Windows IIS 10 +. This secure configuration guide was tested on Microsoft Windows Server 2022 Datacenter +. + +To obtain the latest version of this secure configuration guide, please visit https://www.cisecurity.org/cis-benchmarks/ +. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org +. + + BACKGROUND. + The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. + NO REPRESENTATIONS, WARRANTIES, OR COVENANTS. + CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. USER AGREEMENTS. + By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: + 1. No network, system, device, hardware, software, or component can be made fully secure; + 2. We are using the Products and the Recommendations solely at our own risk; + 3. We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendations, even risks that result from CIS's negligence or failure to perform; + 4. We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; + 5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades, or bug fixes; and + 6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation,loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way Connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. + GRANT OF LIMITED RIGHTS. + CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: + 1. Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; + 2. Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. + RETENTION OF INTELLECTUAL PROPERTY RIGHTS; LIMITATIONS ON DISTRIBUTION. + The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." + Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. + We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development, or maintenance of the Products or Recommendations ("CIS Parties") harmless from and against any and all liability, losses, costs, and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. SPECIAL RULES. + CIS has created and will from time to time create, special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. + CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS Organizational User Member, but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products and Recommendations within such Member's own organization, whether by manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of such Member's membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time. + CHOICE OF LAW; JURISDICTION; VENUE. + We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland, that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. + BY USING THE PRODUCTS I(WE) ACKNOWLEDGE THAT WE HAVE READ THESE AGREED TERMS OF USE IN THEIR ENTIRETY, UNDERSTAND THEM, AND I(WE) AGREE TO BE BOUND BY THEM IN ALL RESPECTS. + + 1.2.1 + + Level 1 - IIS 10 + + Items in this profile apply to Microsoft IIS 10 running on Microsoft Windows Server 2016 and intend to: + + be practical and prudent; + provide a clear security benefit; and + not inhibit the utility of the technology beyond acceptable means. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Level 2 - IIS 10 + + This profile extends the "Level 1 - IIS 10" profile. Items in this profile apply to Microsoft IIS 10.0 running on Microsoft Windows Server 2016 and exhibit one or more of the following characteristics: + + are intended for environments or use cases where security is paramount; + acts as defense in depth measure; + may negatively inhibit the utility or performance of the technology. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure 'Host headers' are on all sites + This value is used in Rule: (L1) Ensure 'Host headers' are on all sites + .+ + + + (L1) Ensure 'Directory browsing' is set to Disabled + This value is used in Rule: (L1) Ensure 'Directory browsing' is set to Disabled + false + + + (L1) Ensure 'application pool identity' is configured for anonymous user identity + This value is used in Rule: (L1) Ensure 'application pool identity' is configured for anonymous user identity + ^$ + + + (L2) Ensure 'maxURL request filter' is configured + This value is used in Rule: (L2) Ensure 'maxURL request filter' is configured + 4096 + + + (L2) Ensure 'MaxQueryString request filter' is configured + This value is used in Rule: (L2) Ensure 'MaxQueryString request filter' is configured + 2048 + + + (L2) Ensure non-ASCII characters in URLs are not allowed + This value is used in Rule: (L2) Ensure non-ASCII characters in URLs are not allowed + false + + + (L1) Ensure Double-Encoded requests will be rejected + This value is used in Rule: (L1) Ensure Double-Encoded requests will be rejected + false + + + (L1) Ensure Unlisted File Extensions are not allowed + This value is used in Rule: (L1) Ensure Unlisted File Extensions are not allowed + false + + + (L1) Ensure 'application pool identity' is configured for all application pools + This value is used in Rule: (L1) Ensure 'application pool identity' is configured for all application pools + ApplicationPoolIdentity + + + (L1) Ensure 'unique application pools' is set for sites + This value is used in Rule: (L1) Ensure 'unique application pools' is set for sites + 1 + + + (L1) Ensure 'forms authentication' require SSL + This value is used in Rule: (L1) Ensure 'forms authentication' require SSL + true + + + (L2) Ensure 'forms authentication' is set to use cookies + This value is used in Rule: (L2) Ensure 'forms authentication' is set to use cookies + UseCookies + + + (L1) Ensure 'cookie protection mode' is configured for forms authentication + This value is used in Rule: (L1) Ensure 'cookie protection mode' is configured for forms authentication + All + + + (L1) Ensure 'passwordFormat' is not set to clear + This value is used in Rule: (L1) Ensure 'passwordFormat' is not set to clear + Clear + + + (L2) Ensure 'credentials' are not stored in configuration files + This value is used in Rule: (L2) Ensure 'credentials' are not stored in configuration files + Clear + + + (L2) Ensure 'debug' is turned off + This value is used in Rule: (L2) Ensure 'debug' is turned off + false + + + (L2) Ensure custom error messages are not off + This value is used in Rule: (L2) Ensure custom error messages are not off + Off + + + (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely + This value is used in Rule: (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely + DetailedLocalOnly + + + (L2) Ensure ASP.NET stack tracing is not enabled + This value is used in Rule: (L2) Ensure ASP.NET stack tracing is not enabled + false + + + (L2) Ensure 'httpcookie' mode is configured for session state + This value is used in Rule: (L2) Ensure 'httpcookie' mode is configured for session state + UseCookies + + + (L1) Ensure 'cookies' are set with HttpOnly attribute + This value is used in Rule: (L1) Ensure 'cookies' are set with HttpOnly attribute + true + + + (L2) Ensure 'MachineKey validation method - .Net 3.5' is configured + This value is used in Rule: (L2) Ensure 'MachineKey validation method - .Net 3.5' is configured + (AES|SHA) + + + (L1) Ensure 'MachineKey validation method - .Net 4.5' is configured + This value is used in Rule: (L1) Ensure 'MachineKey validation method - .Net 4.5' is configured + (AES|SHA) + + + (L1) Ensure global .NET trust level is configured + This value is used in Rule: (L1) Ensure global .NET trust level is configured + ((?i)Medium|(?i)Low) + + + (L1) Ensure 'notListedIsapisAllowed' is set to false + This value is used in Rule: (L1) Ensure 'notListedIsapisAllowed' is set to false + false + + + (L1) Ensure 'notListedCgisAllowed' is set to false + This value is used in Rule: (L1) Ensure 'notListedCgisAllowed' is set to false + false + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry value + 1 + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry value + 0 + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry value + 0 + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv2 is Disabled + This value is used in Rule: (L1) Ensure SSLv2 is Disabled for the registry value + 1 + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry value + 1 + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry value + 0 + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry value + 0 + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry data type + reg_dword + + + (L1) Ensure SSLv3 is Disabled + This value is used in Rule: (L1) Ensure SSLv3 is Disabled for the registry value + 1 + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry value + 0 + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry value + 1 + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry value + 0 + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.0 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.0 is Disabled for the registry value + 1 + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry value + 0 + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry value + 1 + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry value + 0 + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.1 is Disabled + This value is used in Rule: (L1) Ensure TLS 1.1 is Disabled for the registry value + 1 + + + (L1) Ensure TLS 1.2 is Enabled + This value is used in Rule: (L1) Ensure TLS 1.2 is Enabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.2 is Enabled + This value is used in Rule: (L1) Ensure TLS 1.2 is Enabled for the registry value + 1 + + + (L1) Ensure TLS 1.2 is Enabled + This value is used in Rule: (L1) Ensure TLS 1.2 is Enabled for the registry data type + reg_dword + + + (L1) Ensure TLS 1.2 is Enabled + This value is used in Rule: (L1) Ensure TLS 1.2 is Enabled for the registry value + 0 + + + (L1) Ensure NULL Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure NULL Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure NULL Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure NULL Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure DES Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure DES Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure DES Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure DES Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry data type + reg_dword + + + (L1) Ensure RC4 Cipher Suites is Disabled + This value is used in Rule: (L1) Ensure RC4 Cipher Suites is Disabled for the registry value + 0 + + + (L1) Ensure AES 128/128 Cipher Suite is Disabled + This value is used in Rule: (L1) Ensure AES 128/128 Cipher Suite is Disabled for the registry data type + reg_dword + + + (L1) Ensure AES 128/128 Cipher Suite is Disabled + This value is used in Rule: (L1) Ensure AES 128/128 Cipher Suite is Disabled for the registry value + 0 + + + (L1) Ensure AES 256/256 Cipher Suite is Enabled + This value is used in Rule: (L1) Ensure AES 256/256 Cipher Suite is Enabled for the registry data type + reg_dword + + + (L1) Ensure AES 256/256 Cipher Suite is Enabled + This value is used in Rule: (L1) Ensure AES 256/256 Cipher Suite is Enabled for the registry value + 1 + + + (L2) Ensure TLS Cipher Suite ordering is Configured + This value is used in Rule: (L2) Ensure TLS Cipher Suite ordering is Configured for the registry data type + reg_multi_sz + + + (L2) Ensure TLS Cipher Suite ordering is Configured + This value is used in Rule: (L2) Ensure TLS Cipher Suite ordering is Configured for the registry value + ^TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256$ + + + Basic Configurations + + This section contains basic Web server-level recommendations. + + + (L1) Ensure 'Web content' is on non-system partition + + Web resources published through IIS are mapped via Virtual Directories to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume. + + + + + + + + + + Isolating web content from system files may reduce the probability of web sites/applications exhausting system disk space. It can also reduce the file IO vulnerability in the web site/application from affecting the confidentiality and/or integrity of system files. + + + http://blogs.iis.net/thomad/archive/2008/02/10/moving-the-iis7-inetpub-directory-to-a-different-drive.aspx + + + + + +Browse to web content in C:\inetpub\wwwroot\ + + +Copy or cut content onto a dedicated and restricted web folder on a non-system drive such as D:\webroot\ + + Change mappings for any applications or Virtual Directories to reflect the new location + + +To change the mapping for the application named app1 + which resides under the Default Web Site, open IIS Manager: + + Expand the server node + Expand Sites + Expand Default Web Site + +Click on app1 + + In the Actions pane, select Basic Settings + +In the Physical path text box, put the new location of the application, D:\wwwroot\app1 + in the example above + + Impact: + + Once the configuration is changed all content from the root drive to the new drive including ACLs and empty directories will need to copied. + + + + + + + (L1) Ensure 'Host headers' are on all sites + + Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites. + + Note: + Wildcard host headers are now supported. + + + + + + + + + + Requiring a Host header for all sites may reduce the probability of DNS rebinding attacks successfully compromising or abusing site data or functionality and IP-based scans successfully identifying or interacting with a target application hosted on IIS. + + + http://technet.microsoft.com/en-us/library/cc753195%28WS.10%29.aspx + http://crypto.stanford.edu/dns/dns-rebinding.pdf + http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html + http://blogs.iis.net/thomad/archive/2008/01/25/ssl-certificates-on-sites-with-host-headers.aspx + https://www.iis.net/learn/get-started/whats-new-in-iis-10/wildcard-host-header-support + + + + +Obtain a listing of all sites by using the following appcmd.exe + command: + Enter the following command in AppCmd.exe to configure the host header: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /"[name='<website name>'].bindings.[protocol='http',bindingInformation='*:80:<host header>'].bindingInformation:"*:80:<host header>"" /commit:apphost + + + OR + + Enter the following command in PowerShell to configure the host header: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/site[@name='<website name>']/bindings/binding[@protocol='http' and @bindingInformation='*:80:']' -name 'bindingInformation' -value '*:80:<host header value>' + + + OR + + Perform the following in IIS Manager to configure host headers for the Default Web Site: + + Open IIS Manager + In the Connections pane expand the Sites node and select Default Web Site + In the Actions pane click Bindings + In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example + Click Edit + +Under host name, enter the sites FQDN, such as <www.examplesite.com> + + Click OK, then Close + + + Note: + Requiring a host header may impair site functionality for HTTP/1.0 clients. + Impact: + + If a wildcard DNS entry exists and a wildcard host header is used, it may be serving data to more domains than intended. + + + + + + + + + + + + + (L1) Ensure 'Directory browsing' is set to Disabled + + Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met: + + No specific file is requested in the URL + The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list + + + Note: + If directory browsing is enabled (an exception to this recommendation), make sure that it is only enabled on the particular directory or directories that need to be shared. + + + + + + + Devices + Protect + + + + + + + + + Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS. + + + + http://technet.microsoft.com/en-us/library/cc725840%28WS.10%29.aspx + http://technet.microsoft.com/en-us/library/cc731109%28WS.10%29.aspx + + + + +Directory Browsing can be set by using the UI, running appcmd.exe + commands, by editing configuration files directly, or by writing WMI scripts. To disable directory browsing at the server level using an appcmd.exe + command: + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath iis:\ -Name Enabled -Value False + + Impact: + + Users will not be able to see the contents of directories. + + + + + + + + + + + + + (L1) Ensure 'application pool identity' is configured for all application pools + + +Application Pool Identities are the actual users/authorities that will run the worker process - w3wp.exe +. Assigning the correct user authority will help ensure that applications can function properly, while not giving overly permissive permissions on the system. These identities can further be used in ACLs to protect system content. It is recommended that each Application Pool run under a unique identity. + IIS has additional built-in least privilege identities intended for use by Application Pools. It is recommended that the default Application Pool Identity be changed to a least privilege principle other than Network Service. Furthermore, it is recommended that all application pool identities be assigned a unique least privilege principal. + To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a Web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. It is recommended the Application Pool Identity be set as the Anonymous User Identity. + +The name of the Application Pool account corresponds to the name of the Application Pool. Application Pool Identities were introduced in Windows Server 2008 SP2. It is recommended that Application Pools be set to run as ApplicationPoolIdentity + unless there is an underlying reason that the application pool needs to run as a specified end user account. One example where this is needed is for web farms using Kerberos authentication. + + + + + + + Data + Protect + + + + + + + + + +Setting Application Pools to use unique least privilege identities such as ApplicationPoolIdentity + reduces the potential harm the identity could cause should the application ever become compromised. + Additionally, it will simplify application pools configuration and account management. + + + + http://technet.microsoft.com/en-us/library/cc771170%28WS.10%29.aspx + http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/ + http://learn.iis.net/page.aspx/624/application-pool-identities/ + http://blogs.iis.net/tomwoolums/archive/2008/12/17/iis-7-0-application-pools.aspx + + + + +The default Application Pool identity may be set for an application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to change the default identity to the built-in ApplicationPoolIdentity + in the IIS Manager GUI: + + Open the IIS Manager GUI + In the connections pane, expand the server node and click Application Pools + +On the Application Pools page, select the DefaultAppPool +, and then click Advanced Settings in the Actions pane + +For the Identity property, click the '...' + button to open the Application Pool Identity dialog box + +Select the Built-in account option choose ApplicationPoolIdentity + from the list, or input a unique application user created for this purpose + Restart IIS + + +To change the ApplicationPool + identity to the built-in ApplicationPoolIdentity + using AppCmd.exe, run the following from a command prompt: + Enter the following command in AppCmd.exe to configure + %systemroot%\system32\inetsrv\appcmd set config /section:applicationPools /[name='<apppool name>'].processModel.identityType:ApplicationPoolIdentity + + OR + +To change the ApplicationPool + identity to the built-in ApplicationPoolIdentity + using PowerShell: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/applicationPools/add[@name='<apppool name>']/processModel' -name 'identityType' -value 'ApplicationPoolIdentity' + + +The example code above will set just the DefaultAppPool +. Run this command for each configured Application Pool. Additionally, ApplicationPoolIdentity + can be made the default for all Application Pools by using the Set Application Pool Defaults action on the Application Pools node. + If using a custom defined Windows user such as a dedicated service account, that user will need to be a member of the IIS_IUSRS group. The IIS_IUSRS group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity. + Impact: + + If Application Pool Identities are not set properly to users/authorities applications may not function properly. + + + + + + + + + + + + + (L1) Ensure 'unique application pools' is set for sites + + Application Pool Identities allows Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. + It is recommended that all Sites run under unique, dedicated Application Pools. + + + + + + + Data + Protect + + + + + + By setting sites to run under unique Application Pools, resource-intensive applications can be assigned to their own application pools which could improve server and application performance. In addition, it can help maintain application availability: if an application in one pool fails, applications in other pools are not affected. Last, isolating applications helps mitigate the potential risk of one application being allowed access to the resources of another application. It is also recommended to stop any application pool that is not in use or was created by an installation such as .Net 4.0. + + + http://technet.microsoft.com/en-us/library/cc753449%28WS.10%29.aspx + http://blogs.iis.net/tomwoolums/archive/2008/12/17/iis-7-0-application-pools.aspx + http://learn.iis.net/page.aspx/624/application-pool-identities/ + + + + The following appcmd.exe command will set the application pool for a given application: + %systemroot%\system32\inetsrv\appcmd set app '<website name>/' /applicationpool:<apppool name> + + The output of this command will be similar to the following: APP object "Default Web Site/" changed (applicationPool:DefaultAppPool) + Run the above command to ensure a unique application pool is assigned for each site listed + OR + Enter the following command in PowerShell to configure: + Set-ItemProperty -Path 'IIS:\Sites\<website name>' -Name applicationPool -Value <apppool name> + + OR + + Open IIS Manager + Open the Sites node underneath the machine node + Select the Site to be changed + In the Actions pane, select Basic Settings + Click the Select… box next to the Application Pool text box + Select the desired Application Pool + Once selected, click OK + + Impact: + + All sites will need to be run under unique dedicated Application Pools. + + + + + + + + + + + + + (L1) Ensure 'application pool identity' is configured for anonymous user identity + + To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. + It is recommended the Application Pool Identity be set as the Anonymous User Identity. + + + + + + + Data + Protect + + + + + + Configuring the anonymous user identity to use the application pool identity will help ensure site isolation - provided sites are set to use the application pool identity. Since a unique principal will run each application pool, it will ensure the identity is least privilege. Additionally, it will simplify Site management. + + + http://learn.iis.net/page.aspx/202/application-pool-identity-as-anonymous-user/ + http://learn.iis.net/page.aspx/624/application-pool-identities/ + + + + +The Anonymous User Identity can be set to Application Pool Identity by using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the username attribute of the anonymousAuthentication + node in the IIS Manager GUI: + + Open the IIS Manager GUI and navigate to the desired server, site, or application + In Features View, find and double-click the Authentication icon + Select the Anonymous Authentication option and in the Actions pane select Edit... + Choose Application pool identity in the modal window and then press the OK button + + OR + +To use AppCmd.exe to configure anonymousAuthentication + at the server level, the command would look like this: + %systemroot%\system32\inetsrv\appcmd set config -section:anonymousAuthentication /username:"" --password + + OR + Enter the following command in PowerShell to configure: + Set-ItemProperty -Path IIS:\AppPools\<apppool name> -Name passAnonymousToken -Value True + + Impact: + + N/A + + + + + + + + + + + + + (L1) Ensure' WebDav' feature is disabled + + WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server. + + Note: + The WebDAV feature must be enabled for this functionality to be available in IIS. + + + + + + + Devices + Protect + + + + Applications + Protect + + + + + + Devices + Protect + + + + + + WebDAV is not widely used, and it has serious security concerns because it may allow clients to modify unauthorized files on the web server. Therefore, the WebDav feature should be disabled. + + + + + + + + To disable this feature using PowerShell, enter the following command: + Uninstall-WindowsFeature Web-DAV-Publishing + + Verify that Success is True + Impact: + + The WebDav feature will not be available in IIS. + + + + + + + + Configure Authentication and Authorization + + This section contains recommendations around the different layers of authentication in IIS. + + + (L1) Ensure 'global authorization rule' is set to restrict access + + IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g., static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals. + + + + + + + Data + Protect + + + + + + + + + Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access. + + + + http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization + http://www.iis.net/learn/get-started/whats-new-in-iis-7/changes-in-security-between-iis-60-and-iis-7-and-above#Authorization + + + + To configure URL Authorization at the server level using command line utilities: + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config -section:system.webServer/security/authorization /-"[users='*',roles='',verbs='']" + + %systemroot%\system32\inetsrv\appcmd set config -section:system.webServer/security/authorization /+"[accessType='Allow',roles='Administrators']" + + OR + Enter the following command in PowerShell to configure: + Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/authorization" -name "." -AtElement @{users='*';roles='';verbs=''} + + Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/authorization" -name "." -value @{accessType='Allow';roles='Administrators'} + + OR + To configure URL Authorization at the server level using IIS Manager: + + Connect to Internet Information Services (IIS Manager) + Select the server + Select Authorization Rules + Remove the "Allow All Users" rule + Click Add Allow Rule… + Allow access to the user(s), user groups, or roles that are authorized across all of the web sites and applications (e.g. the Administrators group) + + Impact: + + If not set properly, the authorization rule could restrict assess at a level that is not intended to be restricted. + + + + + + + (L1) Ensure access to sensitive site features is restricted to authenticated principals only + + IIS supports both challenge-based and login redirection-based authentication methods. Challenge-based authentication methods, such as Integrated Windows Authentication, require a client to respond correctly to a server-initiated challenge. A login redirection-based authentication method such as Forms Authentication relies on redirection to a login page to determine the identity of the principal. Challenge-based authentication and login redirection-based authentication methods cannot be used in conjunction with one another. + Public servers/sites are typically configured to use Anonymous Authentication. This method typically works, provided the content or services is intended for use by the public. When sites, applications, or specific content containers are not intended for anonymous public use, an appropriate authentication mechanism should be utilized. Authentication will help confirm the identity of clients who request access to sites, application, and content. IIS provides the following authentication modules by default: + + Anonymous Authentication - allows anonymous users to access sites, applications, and/or content + Integrated Windows Authentication - authenticates users using the NTLM or Kerberos protocols; Kerberos v5 requires a connection to Active Directory + ASP.NET Impersonation - allows ASP.NET applications to run under a security context different from the default security context for an application + Forms Authentication - enables a user to login to the configured space with a valid username and password which is then validated against a database or other credentials store + Basic authentication - requires a valid username and password to access content + Client Certificate Mapping Authentication - allows automatic authentication of users who log on with client certificates that have been configured; requires SSL + Digest Authentication - uses Windows domain controller to authenticate users who request access + + Note that none of the challenge-based authentication modules can be used at the same time Forms Authentication is enabled for certain applications/content. Forms Authentication does not rely on IIS authentication, so anonymous access for the ASP.NET application can be configured if Forms Authentication will be used. + It is recommended that sites containing sensitive information, confidential data, or non-public web services be configured with a credentials-based authentication mechanism. + + + + + + + Data + Protect + + + + + + Configuring authentication will help mitigate the risk of unauthorized users accessing data and/or services, and in some cases reduce the potential harm that can be done to a system. + + + http://learn.iis.net/page.aspx/377/using-aspnet-forms-authentication/rev/1 + http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/ + http://technet.microsoft.com/en-us/library/cc733010%28WS.10%29.aspx + http://msdn.microsoft.com/en-us/library/aa480476.aspx + https://technet.microsoft.com/en-us/library/hh831496(v=ws.11).aspx + + + + When configuring an authentication module for the first time, each mechanism must be completely configured before use. + +Enabling authentication can be performed by using the user interface (UI), running AppCmd.exe + commands in a command-line window, editing configuration files directly, or by writing WMI scripts. To verify an authentication mechanism is in place for sensitive content using the IIS Manager GUI: + + Open IIS Manager and navigate to level with sensitive content + In Features View, double-click Authentication + On the Authentication page, make sure an authentication module is enabled, while anonymous authentication is enabled (Forms Authentication can have anonymous as well) + If necessary, select the desired authentication module, then in the Actions pane, click Enable + + OR + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /mode:<Windows|Passport|Forms> + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website location>' -filter 'system.webServer/security/authentication/anonymousAuthentication' -name 'enabled' -value 'False' + + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website location>' -filter 'system.webServer/security/authentication/windowsAuthentication' -name 'enabled' -value 'True' + + Impact: + + Authentication will be restricted to the method that is applied. + + + + + + + (L1) Ensure 'forms authentication' require SSL + + Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Forms Authentication be encrypted using SSL. + + NOTE + Due to identified security vulnerabilities, SSL no longer provides adequate protection for a sensitive information. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Requiring SSL for Forms Authentication will protect the confidentiality of credentials during the login process, helping mitigate the risk of stolen user information. + + + + http://technet.microsoft.com/en-us/library/cc771077(WS.10).aspx + + + + + Open IIS Manager and navigate to the appropriate tier + In Features View, double-click Authentication + On the Authentication page, select Forms Authentication + In the Actions pane, click Edit + Check the Requires SSL checkbox in the cookie settings section, click OK + + OR + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /mode:Forms + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter 'system.web/authentication/forms' -name 'requireSSL' -value 'True' + + Impact: + + None. + + + + + + + + + + + + + (L2) Ensure 'forms authentication' is set to use cookies + + Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies. + + + + + + + + + + +Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL. Moving session information identifiers into the URL may cause session IDs to show up in proxy logs, browsing history, and be accessible to client scripting via document.location +. + + + http://technet.microsoft.com/en-us/library/cc732830%28WS.10%29.aspx + + + + + Open IIS Manager and navigate to the level where Forms Authentication is enabled + In Features View, double-click Authentication + On the Authentication page, select Forms Authentication + In the Actions pane, click Edit + In the Cookie settings section, select Use cookies from the Mode dropdown + + OR + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /forms.cookieless:"UseCookies" + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter 'system.web/authentication/forms' -name 'cookieless' -value 'UseCookies' + + Impact: + + Site visitor's session identifier will be stored via cookies. + + + + + + + + + + + + + (L1) Ensure 'cookie protection mode' is configured for forms authentication + + The cookie protection mode defines the protection Forms Authentication cookies will be given within a configured application. The four cookie protection modes that can be defined are: + + Encryption and validation - Specifies that the application use both data validation and encryption to help protect the cookie; this option uses the configured data validation algorithm (based on the machine key) and triple-DES (3DES) for encryption, if available and if the key is long enough (48 bytes or more) + None - Specifies that both encryption and validation are disabled for sites that are using cookies only for personalization and have weaker security requirements + Encryption - Specifies that the cookie is encrypted by using Triple-DES or DES, but data validation is not performed on the cookie; cookies used in this manner might be subject to plain text attacks + Validation - Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit + + It is recommended that cookie protection mode always encrypt and validate Forms Authentication cookies. + + + + + + + Data + Protect + + + + + + + + + By encrypting and validating the cookie, the confidentiality and integrity of data within the cookie is assured. This helps mitigate the risk of attacks such as session hijacking and impersonation. + + + + http://technet.microsoft.com/en-us/library/cc731804%28WS.10%29.aspx + + + + +Cookie protection mode can be configured by using the user interface (UI), by running Appcmd.exe + commands in a command-line window, by editing configuration files directly, or by writing WMI scripts. Using IIS Manager: + + Open IIS Manager and navigate to the level where Forms Authentication is enabled + In Features View, double-click Authentication + On the Authentication page, select Forms Authentication + In the Actions pane, click Edit + In the Cookie settings section, verify the drop-down for Protection mode is set for Encryption and validation + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms' -name 'protection' -value 'All' + + Impact: + + Protection Forms Authentication cookies will restricted to the mode defined. + + + + + + + + + + + + + (L1) Ensure transport layer security for 'basic authentication' is configured + + Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Transport Layer Security will help mitigate the chances of hijacked credentials. + + + + http://technet.microsoft.com/en-us/library/dd378853%28WS.10%29.aspx + + + + To protect Basic Authentication with transport layer security: + + Open IIS Manager + In the Connections pane on the left, select the server to be configured + In the Connections pane, expand the server, then expand Sites and select the site to be configured + In the Actions pane, click Bindings; the Site Bindings dialog appears + If an HTTPS binding is available, click Close and see below "To require SSL" + If no HTTPS binding is visible, perform the following steps + + To add an HTTPS binding: + + In the Site Bindings dialog, click Add; the Add Site Binding dialog appears + Under Type, select https + Under SSL certificate, select an X.509 certificate + Click OK, then close + + To require SSL: + + In Features View, double-click SSL Settings + On the SSL Settings page, select Require SSL. + In the Actions pane, click Apply + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags' -value 'Ssl' + + Impact: + + Credentials will not be passed across the network in plain text. + + + + + + + (L1) Ensure 'passwordFormat' is not set to clear + + +The <credentials> + element of the <authentication> + element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. + + Note: + The <credentials> + element only applies when the default provider, ConfigurationAuthenticationProvider +, is configured as the authentication provider. + +It is recommended that passwordFormat + be set to a value other than Clear +, such as SHA1 +. + + + + + + + Data + Protect + + + + + + Users + Protect + + + + + + Authentication credentials should always be protected to reduce the risk of stolen authentication credentials. + + + + http://www.iis.net/ConfigReference/system.webServer/management/authentication/credentials + http://msdn.microsoft.com/en-us/library/bb422401%28VS.90%29.aspx + https://docs.microsoft.com/en-us/dotnet/framework/whats-new/#v471 + + + + +Authentication mode is configurable at the machine.config +, root-level web.config +, or application-level web.config +: + + Locate and open the configuration file where the credentials are stored + +Find the <credentials> + element + +If present, ensure passwordFormat + is not set to Clear + + +Change passwordFormat +to SHA1 + + + The clear text passwords will need to be replaced with the appropriate hashed version. + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name 'passwordFormat' -value 'SHA1' + + Impact: + + + passwordFormat + will be encrypted. + + + + + + + + + + + + + (L2) Ensure 'credentials' are not stored in configuration files + + +The <credentials> + element of the <authentication> + element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. + + Note: + The <credentials> + element only applies when the default provider, ConfigurationAuthenticationProvider +, is configured as the authentication provider. + It is recommended to avoid storing passwords in the configuration file even in form of hash. + + + + + + + Users + Protect + + + + + + Authentication credentials should always be protected to reduce the risk of stolen authentication credentials. For security reasons, it is recommended that user credentials not be stored an any IIS configuration files. + + + http://www.iis.net/ConfigReference/system.webServer/management/authentication/credentials + http://msdn.microsoft.com/en-us/library/bb422401%28VS.90%29.aspx + + + + +Authentication mode is configurable at the machine.config +, root-level web.config +, or application-level web.config +: + + Locate and open the configuration file where the credentials are stored + +Find the <credentials> + element + If present, remove the section + + This will remove all references to stored users in the configuration files. + OR + Enter the following command in PowerShell to configure: + Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name '.' + + Impact: + + Passwords in the configuration file will be stored in form of a hash. + + + + + + + + + + + + + + ASP.NET Configuration Recommendations + + This section contains recommendations specific to ASP.NET. + + + (L1) Ensure 'deployment method retail' is set + + +The <deployment retail> + switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. Often times, switches and options that are developer-focused, such as failed request tracing and debugging, are enabled during active development. + +It is recommended that the deployment method on any production server be set to retail +. + + + + + + + + + + +Utilizing the switch specifically intended for production IIS servers will eliminate the risk of vital application and system information leakages that would otherwise occur if tracing or debug were to be left enabled, or customErrors + were to be left off. + + + http://msdn.microsoft.com/en-US/library/ms228298%28VS.80%29.aspx + + + + + +Open the machine.config + file located in: %systemroot%\Microsoft.NET\Framework<bitness (if not the 32 bit)>\<framework version>\CONFIG + + +Add the line <deployment retail="true" /> + within the <system.web> + section + +If systems are 64-bit, do the same for the machine.config + located in: %systemroot%\Microsoft.NET\Framework<bitness (if not the 32 bit)>\<framework version>\CONFIG + + + Impact: + + N/A + + + + + + + (L2) Ensure 'debug' is turned off + + Developers often enable the debug mode during active ASP.NET development so that they do not have to continually clear their browsers cache every time they make a change to a resource handler. The problem would arise from this being left "on" or set to "true". Compilation debug output is displayed to the end user, allowing malicious persons to obtain detailed information about applications. + +This is a defense in depth recommendation due to the <deployment retail="true" /> + in the machine.config + configuration file overriding any debug settings. + It is recommended that debugging still be turned off. + + + + + + + + + + +Setting <compilation debug> + to false + ensures that detailed error information does not inadvertently display during live application usage, mitigating the risk of application information leakage falling into unscrupulous hands. + + + http://technet.microsoft.com/en-us/library/cc725812%28WS.10%29.aspx + + + + To use the UI to make this change: + + Open IIS Manager and navigate desired server, site, or application + In Features View, double-click .NET Compilation + On the .NET Compilation page, in the Behavior section, ensure the Debug field is set to False + When finished, click Apply in the Actions pane + + +Note: The <compilation debug> + switch will not be present in the web.config + file unless it has been added manually, or has previously been configured using the IIS Manager GUI. + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter "system.web/compilation" -name "debug" -value "False" + + Impact: + + Debugging will be disabled. + + + + + + + + + + + + + (L2) Ensure custom error messages are not off + + +When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. The <customErrors> + tag in the web.config + has three modes: + + +On: Specifies that custom errors are enabled. If no defaultRedirect + attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host + Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host + RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value + + +This is a defense in depth recommendation due to the <deployment retail="true" /> + in the machine.config + file overriding any settings for customErrors + to be turned Off +. + +It is recommended that customErrors + still be turned to On +or RemoteOnly +. + + + + + + + + + + + customErrors + can be set to On +or RemoteOnly + without leaking detailed application information to the client. Ensuring that customErrors + is not set to Off +will help mitigate the risk of malicious persons learning detailed application error and server configuration information. + + + http://technet.microsoft.com/en-us/library/dd569096%28WS.10%29.aspx + + + + + customErrors + may be set for a server, site, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the customErrors + mode to RemoteOnly + or On + for a Web Site in the IIS Manager GUI: + + Open the IIS Manager GUI and navigate to the site to be configured + In Features View, find and double-click .NET Error Pages icon + In the Actions Pane, click Edit Feature Settings + In modal dialog, choose On or Remote Only for Mode settings + Click OK + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter "system.web/customErrors" -name "mode" -value "RemoteOnly" + + Impact: + + N/A + + + + + + + + + + + + + (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely + + +A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode + attribute setting for a Web site's error pages. By default, the errorMode + attribute is set in the Web.config + file for the Web site or application and is located in the <httpErrors> + element of the <system.webServer> + section. + It is recommended that custom errors be prevented from displaying remotely. + + + + + + + + + + The information contained in custom error messages can provide clues as to how applications function, opening up unnecessary attack vectors. Ensuring custom errors are never displayed remotely can help mitigate the risk of malicious persons obtaining information as to how the application works. + + + http://technet.microsoft.com/en-us/library/dd391900%28WS.10%29.aspx + http://www.iis.net/configreference/system.webserver/httperrors + + + + +The following describes how to change the errorMode + attribute to DetailedLocalOnly + or Custom + for a Web site by using IIS Manager: + + Open IIS Manager with Administrative privileges + In the Connections pane on the left, expand the server, then expand the Sites folder + Select the Web site or application to be configured + In Features View, select Error Pages, in the Actions pane, select Open Feature + In the Actions pane, select Edit Feature Settings + In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests + Click OK and exit the Edit Error Pages Settings dialog + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter "system.webServer/httpErrors" -name "errorMode" -value "DetailedLocalOnly" + + Impact: + + Custom errors will not be viewable remotely. + + + + + + + + + + + + + (L2) Ensure ASP.NET stack tracing is not enabled + + +The trace + element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log. + +This is a defense in depth recommendation due to the <deployment retail="true" /> + in the machine.config + file overriding any settings for ASP.NET stack tracing that are left on. + It is recommended that ASP.NET stack tracing still be turned off. + + + + + + + + + + In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site. + +If necessary, the localOnly + attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information. + + + http://msdn.microsoft.com/en-us/library/94c55d08%28v=vs.100%29.aspx + http://msdn.microsoft.com/en-us/library/0x5wc973%28v=vs.100%29.aspx + + + + + +Ensure <deployment retail="true" /> +is enabled in the machine.config +. + Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes. + + Per Page: + Remove any references to: + Trace="true" + + Per Application: + +<configuration>
+ <system.web>
+ <trace enabled="true">
+ </system.web>
+</configuration> + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter "system.web/trace" -name "enabled" -value "False" + + Impact: + + ASP.NET stack tracing still be turned off and sensitive configuration and detailed stack trace information will not be viewable to anyone who views the pages in the site. + + + + + + + + + + + + + (L2) Ensure 'httpcookie' mode is configured for session state + + A session cookie associates session information with client information for that session, which can be the duration of a user's connection to a site. The cookie is passed in a HTTP header together with all requests between the client and server. + +Session information can also be stored in the URL. However, storing session information in this manner has security implications that can open attack vectors such as session hijacking. An effective method used to prevent session hijacking attacks is to force web applications to use cookies to store the session token. This is accomplished by setting the cookieless + attribute of the sessionState + node to UseCookies + or False + which will in turn keep session state data out of URI. + +It is recommended that session state be configured to UseCookies +. + + + + + + + + + + +Cookies that have been properly configured help mitigate the risk of attacks such as session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL; moving session information in URI causes session IDs to show up in proxy logs and is accessible to client scripting via document.location +. + + + http://www.iis.net/learn/application-frameworks/scenario-build-an-aspnet-website-on-iis/planning-step-2-plan-asp-net-settings + http://msdn.microsoft.com/en-us/library/h6bb9cz9%28VS.71%29.aspx + + + + + SessionState + can be set to UseCookies + by using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the cookieless + attribute of the sessionState + node to UseCookies + in the IIS Manager GUI: + + Open the IIS Manager GUI and navigate desired server, site, or application + In Features View, find and double-click the Session State icon + In the Cookie Settings section, choose Use Cookies from the Mode dropdown + In the Actions Pane, click Apply + + +To use AppCmd.exe + to configure sessionState + at the server level, the command would look like this: + %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:sessionState /cookieless:UseCookies /cookieName:ASP.NET_SessionID /timeout:20 + + +When Appcmd.exe + is used to configure the <sessionstate> + element at the global level in IIS, the /commit:WEBROOT + switch must be included so that configuration changes are made to the root web.config + file instead of ApplicationHost.config +. + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter "system.web/sessionState" -name "mode" -value "StateServer" + + Impact: + + Session information in URI session IDs will not show up in proxy logs. + + + + + + + + + + + + + (L1) Ensure 'cookies' are set with HttpOnly attribute + + +The httpOnlyCookies + attribute of the httpCookies + node determines if IIS will set the HttpOnly + flag on HTTP cookies it sets. The HttpOnly + flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie). + +It is recommended that the httpOnlyCookies + attribute be set to true +. + + + + + + + + + + +When cookies are set with the HttpOnly + flag, they cannot be accessed by client-side scripting running in the user's browser. Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack. + + + https://tools.ietf.org/wg/httpstate/charters + https://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HttpOnly + https://msdn.microsoft.com/en-us/library/ms533046.aspx + + + + + +Locate and open the application's web.config + file + +Add the <httpCookies httpOnlyCookies="true" /> + tag within <system.web> +: + + +<configuration>
+ <system.web>
+ <httpCookies httpOnlyCookies="true" />
+ </system.web>
+</configuration> + + +Setting the value of the httpOnlyCookies + attribute of the httpCookies + element to true + will add the HttpOnly + flag to all the cookies set by the application. All modern versions of browsers recognize HttpOnly + attribute; older versions will either treat them as normal cookies or simply ignore them altogether. + Impact: + + N/A + + + + + + + + + + + + + (L2) Ensure 'MachineKey validation method - .Net 3.5' is configured + + +The machineKey + element of the ASP.NET web.config + specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. + The following validation methods are available: + + Advanced Encryption Standard (AES) is relatively easy to implement and requires little memory. AES has a key size of 128, 192, or 256 bits. This method uses the same private key to encrypt and decrypt data, whereas a public-key method must use a pair of keys + Message Digest 5 (MD5) is used for digital signing of applications. This method produces a 128-bit message digest, which is a compressed form of the original data + Secure Hash Algorithm (SHA1) is considered more secure than MD5 because it produces a 160-bit message digest + Triple Data Encryption Standard (TripleDES) is a minor variation of Data Encryption Standard (DES). It is three times slower than regular DES but can be more secure because it has a key size of 192 bits. If performance is not a primary consideration, consider using TripleDES + + It is recommended that AES or SHA1 methods be configured for use at the global level. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Setting the validation property to AES will provide confidentiality and integrity protection to the viewstate. AES is the strongest encryption algorithm supported by the validation property. Setting the validation property to SHA1 will provide integrity protection to the viewstate. SHA1 is the strongest hashing algorithm supported by the validation property. + + + + http://technet.microsoft.com/en-us/library/cc772271%28WS.10%29.aspx + http://technet.microsoft.com/en-us/library/cc772287%28WS.10%29.aspx + + + + +Machine key encryption can be set by using the UI, running appcmd.exe + commands, by editing configuration files directly, or by writing WMI scripts. To set the Machine Key encryption at the global level using an appcmd.exe + command: + %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:machineKey /validation:SHA1 + + +Note: When Appcmd.exe + is used to configure the <machineKey> + element at the global level in IIS, the /commit:WEBROOT + switch must be included so that configuration changes are made to the root web.config + file instead of ApplicationHost.config +. + Impact: + + N/A + + + + + + + + + + + + + (L1) Ensure 'MachineKey validation method - .Net 4.5' is configured + + +The machineKey + element of the ASP.NET web.config + specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. + The following validation methods are available: + + Advanced Encryption Standard (AES) is relatively easy to implement and requires little memory. AES has a key size of 128, 192, or 256 bits. This method uses the same private key to encrypt and decrypt data, whereas a public-key method must use a pair of keys + Message Digest 5 (MD5) is used for digital signing of applications. This method produces a 128-bit message digest, which is a compressed form of the original data + Secure Hash Algorithm (SHA1) is considered more secure than MD5 because it produces a 160-bit message digest + Triple Data Encryption Standard (TripleDES) is a minor variation of Data Encryption Standard (DES). It is three times slower than regular DES but can be more secure because it has a key size of 192 bits. If performance is not a primary consideration, consider using TripleDES + Secure Hash Algorithm (SHA-2) is a family of two similar hash functions, with different block sizes known as SHA-256 and SHA-512. They differ in the word size; SHAS-256 used 32-bit words and SHA-512 uses 64-bit words. + + It is recommended that SHA-2 methods be configured for use at the global level. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + SHA-2 is the strongest hashing algorithm supported by the validation property so it should be used as the validation method for the MachineKey in .Net 4.5. + + + + http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-aspnet-configuration-management + + + + +Machine key encryption can be set by using the UI, running appcmd.exe + commands, by editing configuration files directly, or by writing WMI scripts. To set the Machine Key encryption at the global level using an appcmd.exe + command: + %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:machineKey /validation:<validation method> + + +Note: When Appcmd.exe + is used to configure the <machineKey> + element at the global level in IIS, the /commit:WEBROOT + switch must be included so that configuration changes are made to the root web.config + file instead of ApplicationHost.config +. + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT' -filter "system.web/machineKey" -name "validation" -value "<validation method>" + + Impact: + + N/A + + + + + + + + + + + + + (L1) Ensure global .NET trust level is configured + + An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions may access all resource types on a server and perform privileged operations, while applications that run with partial trust have varying levels of operating permissions and access to resources. + The possible values for the Level property of the TrustSection class are: + + Full: Specifies unrestricted permissions and grants the ASP.NET application permissions to access any resource that is subject to operating system security; all privileged operations are supported + +High: specifies a high level of code access security which limits the application from doing the following: + + Call unmanaged code + Call serviced components + Write to the event log + Access Microsoft Windows Message Queuing queues + Access ODBC, OLD DB, or Oracle data sources + + + +Medium: specifies a medium level of code access security, which means that in addition to the restrictions for High, the ASP.NET application cannot do any of the following things: + + Access files outside the application directory + Access the registry + + + +Low: specifies a low level of code access security, which means that in addition to the restrictions for Medium, the application is prevented from performing any of the following actions: + + Write to the file system + +Call the System.Security.CodeAccessPermission.Assert + method to expand permissions to resources + Minimal: specifies a minimal level of code access security, which means that the application has only execute permission + + + + It is recommended that the global .NET Trust Level be set to Medium or lower. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + The CAS determines the permissions that are granted to the application on the server. Setting a minimal level of trust that is compatible with the applications will limit the potential harm that a compromised application could cause to a system. + + + + http://technet.microsoft.com/en-us/library/cc772237(WS.10).aspx + http://msdn.microsoft.com/en-us/library/ms691448%28VS.90%29.aspx + http://support.microsoft.com/kb/2698981 + + + + +Trust level can be set by using the UI, running appcmd.exe + commands, by editing configuration files directly, or by writing WMI scripts. To set the .Net Trust Level to Medium at the server level using an appcmd.exe + command: + %systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:trust /level:Medium + + +When Appcmd.exe + is used to configure the element at the global level in IIS, the /commit:WEBROOT + switch must be included so that configuration changes are made to the root web.config + file instead of ApplicationHost.config +. + + OR + + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT' -filter "system.web/trust" -name "level" -value "Medium" + + Impact: + + If not set properly, the application may not run. + + + + + + + + + + + + + (L2) Ensure X-Powered-By Header is removed + + The x-powered-by headers specify the underlying technology used by the webserver. + + + + + + + Devices + Protect + + + + + + Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers. + While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers. + + + https://blogs.msdn.microsoft.com/jpsanders/2015/10/07/remove-server-and-x-powered-by-headers-from-your-azure-mobile-apps/ + + + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /-"customHeaders.[name='X-Powered-By']" /commit:apphost + + OR + Enter the following command in PowerShell to configure: + Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webserver/httpProtocol/customHeaders" -name "." -AtElement @{name='X-Powered-By'} + + Impact: + + X-powered-by headers will not be available on the webserver. + + + + + + + (L2) Ensure Server Header is removed + + The server header headers specify the underlying technology used by the application. + + + + + + + Devices + Protect + + + + + + While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers. The server header removal directive is a new feature in IIS 10 that can assist in mitigating this risk. + + + https://blogs.msdn.microsoft.com/jpsanders/2015/10/07/remove-server-and-x-powered-by-headers-from-your-azure-mobile-apps/ + + + + Enter the following command to use AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:"True" /commit:apphost + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/' -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True" + + Impact: + + This will remove the server header. + + + + + + + + Request Filtering and Other Restriction Modules + + Introduced in IIS 7.0 for the first time, Request Filtering is a powerful module that provides a configurable set of rules that enables administrators to allow or reject the types of requests that they determine should be allowed or rejected at the server, web site, or web application levels. + Earlier versions of Internet Information Services provided the tool UrlScan, which was provided as an add-on to enable system administrators to enforce tighter security policies on their web servers. All of the core features of URLScan have been incorporated into the Request Filtering module. Due to the close nature of functionality in these two tools, reference to legacy URLScan settings will be made where applicable. + IIS 8 also introduced modules for Dynamic IP Address Restrictions. This module can be configured to automatically block web site access based on specific rules. + Note: Request Filtering and IP and Domain Restrictions must be enabled as a role service under IIS in order to configure any of its features. + + + (L2) Ensure 'maxAllowedContentLength' is configured + + +The maxAllowedContentLength + Request Filter is the maximum size of the http request, measured in bytes, which can be sent from a client to the server. Configuring this value enables the total request size to be restricted to a configured value. + It is recommended that the overall size of requests be restricted to a maximum value appropriate for the server, site, or application. + + + + + + + + + + +Setting an appropriate value that has been tested for the maxAllowedContentLength + filter will lower the impact an abnormally large request would otherwise have on IIS and/or web applications. This helps to ensure availability of web content and services, and may also help mitigate the risk of buffer overflow type attacks in unmanaged components. + + + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits + http://learn.iis.net/page.aspx/143/use-request-filtering/ + + + + +The MaxAllowedContentLength + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, click on the server, site, application, or directory to be configured + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the Request Limits section, key the maximum content length in bytes that will allow applications to retain their intended functionality, such as 30000000 (approx. 28.6 MB) + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxAllowedContentLength:30000000 + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/requestLimits" -name "maxAllowedContentLength" -value 30000000 + + Impact: + + Size of requests be restricted to the maximum value set. + + + + + + + (L2) Ensure 'maxURL request filter' is configured + + +The maxURL + attribute of the <requestLimits> + property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept. + It is recommended that a limit be put on the length of URL. + + + + + + + + + + With a properly configured Request Filter limiting the amount of data accepted in the URL, chances of undesired application behaviors affecting the availability of content and services are reduced. + + + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits + http://learn.iis.net/page.aspx/143/use-request-filtering/ + + + + +The MaxURL + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, click on the connection, site, application, or directory to be configured + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the Request Limits section, key the maximum URL length in bytes that has been tested with web applications + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxURL:4096 + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/requestLimits" -name "maxUrl" -value 4096 + + Impact: + + Length of the URL will be restricted to the maximum value set. + + + + + + + + + + + + + (L2) Ensure 'MaxQueryString request filter' is configured + + +The MaxQueryString + Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications. + It is recommended that values always be established to limit the amount of data that can be accepted in the query string. + + + + + + + + + + With a properly configured Request Filter limiting the amount of data accepted in the query string, chances of undesired application behaviors such as app pool failures are reduced. + + + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits + http://learn.iis.net/page.aspx/143/use-request-filtering/ + + + + +The MaxQueryString + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, go to the connection, site, application, or directory to be configured + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the Request Limits section, key in a safe upper bound in the Maximum query string (Bytes) textbox + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxQueryString:2048 + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/requestLimits" -name "maxQueryString" -value 2048 + + Impact: + + The amount of data to be accepted in the query string will be limited. + + + + + + + + + + + + + (L2) Ensure non-ASCII characters in URLs are not allowed + + +This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters +. + It is recommended that requests containing non-ASCII characters be rejected, where possible. + + + + + + + + + + This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications. + + + http://learn.iis.net/page.aspx/143/use-request-filtering/ + http://learn.iis.net/page.aspx/936/urlscan-1-reference/ + Professional IIS 7 by Ken Schaefer, Jeff Cochran, Scott Forsyth, Rob Baugh, Mike Everest, Dennis Glendenning + + + + +The AllowHighBitCharacters + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, go to the connection, site, application, or directory to be configured + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the General section, uncheck Allow high-bit characters + + Note: Disallowing high-bit ASCII characters in the URL may negatively impact the functionality of sites requiring international language support. + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowHighBitCharacters:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering" -name "allowHighBitCharacters" -value "False" + + Impact: + + Requests containing non-ASCII characters be rejected. + + + + + + + + + + + + + (L1) Ensure Double-Encoded requests will be rejected + + +This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization + option in UrlScan. + It is recommended that double-encoded requests be rejected. + + + + + + + Devices + Protect + + + + + + + + + This feature will help prevent attacks that rely on URLs that have been crafted to contain double-encoded request(s). + + + + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits + http://learn.iis.net/page.aspx/143/use-request-filtering/ + + + + +The allowDoubleEscaping + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, select the site, application, or directory to be configured + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the General section, uncheck Allow double escaping + + +If a file name in a URL includes "+" then allowDoubleEscaping + must be set to true + to allow functionality. + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowDoubleEscaping:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering" -name "allowDoubleEscaping" -value "True" + + Impact: + + Double-encoded requests will be rejected. + + + + + + + + + + + + + (L1) Ensure 'HTTP Trace Method' is disabled + + +The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request. One such way to mitigate this is by using the <verbs> + element of the <requestFiltering> + collection. The <verbs> + element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan. + It is recommended the HTTP TRACE method be denied. + + + + + + + + + + Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. This risk can be mitigated by not allowing the TRACE verb. + + + http://www.kb.cert.org/vuls/id/867593 + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/verbs + + + + + Open Internet Information Services (IIS) Manager + In the Connections pane, select the site, application, or directory to be configured + In the Home pane, double-click Request Filtering + In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane + In the Deny Verb dialog box, enter the TRACE, and then click OK + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false'] + + OR + Enter the following command in PowerShell to configure: + Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/verbs" -name "." -value @{verb='TRACE';allowed='False'} + + Impact: + + Contents of client HTTP requests in the entity-body of the TRACE response will not be available. + + + + + + + (L1) Ensure Unlisted File Extensions are not allowed + + +The FileExtensions + Request Filter allows administrators to define specific extensions their web server(s) will allow and disallow. The property allowUnlisted + will cover all other file extensions not explicitly allowed or denied. Often times, extensions such as .config +, .bat +, .exe +, to name a few, should never be served. The AllowExtensions + and DenyExtensions + options are the UrlScan equivalents. + It is recommended that all extensions be disallowed at the most global level possible, with only those necessary being allowed. + + + + + + + + + + Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers. + + + http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits + http://www.iis.net/learn/manage/configuring-security/configure-request-filtering-in-iis + + + + +The allowUnlisted + Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe + commands in a command-line window, and/or directly editing the configuration files. To configure at the server level using the IIS Manager GUI: + + Open Internet Information Services (IIS) Manager + In the Connections pane, select the server + In the Home pane, double-click Request Filtering + Click Edit Feature Settings... in the Actions pane + Under the General section, uncheck Allow unlisted file name extensions + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/fileExtensions" -name "allowUnlisted" -value "False" + + Impact: + + If not set properly, file extensions that are needed will be rejected. + + + + + + + + + + + + + (L1) Ensure Handler is not granted Write and Script/Execute + + +Handler mappings can be configured to give permissions to Read +, Write +, Script +, or Execute + depending on what the use is for - reading static content, uploading files, executing scripts, etc. + +It is recommended to grant a handler either Execute/Script + or Write + permissions, but not both. + + + + + + + Data + Protect + + + + + + + + + +By allowing both Execute/Script + and Write + permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server. + + + + http://technet.microsoft.com/en-us/library/dd391910%28WS.10%29.aspx + http://blogs.iis.net/thomad/archive/2006/11/05/quo-vadis-accessflags.aspx + + + + +The accessPolicy + attribute in the <handlers> + section of either the ApplicationHost.config + (server-wide) or web.config + (site or application) must not have Write + present when Script + or Execute + are present. To resolve this issue for a Web server, the attribute in the <handlers> + section of the ApplicationHost.config + file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps: + + Open Notepad as Administrator + +Open the ApplicationHost.config file in %systemroot%\system32\inetsrv\config + + +Edit the <handlers> + section accessPolicy + attribute so that Write + is not present when Script + or Execute + are present + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config /section:handlers /accessPolicy:Read,Script + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/handlers" -name "accessPolicy" -value "Read,Script" + + Note: This configuration change cannot be made by using IIS Manager. + Impact: + + N/A + + + + + + + (L1) Ensure 'notListedIsapisAllowed' is set to false + + +The notListedIsapisAllowed +attribute is a server-level setting that is located in the ApplicationHost.config + file in the <isapiCgiRestriction> + element of the <system.webServer> + section under <security> +. This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. + +It is recommended that notListedIsapisAllowed + be set to false +. + + + + + + + + + + +Restricting this attribute to false +will help prevent potentially malicious ISAPI extensions from being run. + + + http://technet.microsoft.com/en-us/library/dd378846%28WS.10%29.aspx + http://www.iis.net/ConfigReference/system.webServer/security/isapiCgiRestriction + + + + +To use IIS Manager to set the notListedIsapisAllowed + attribute to false +: + + Open IIS Manager as Administrator + In the Connections pane on the left, select server to be configured + In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature + In the Actions pane, select Edit Feature Settings + In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified ISAPI modules check box, if checked + Click OK + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedIsapisAllowed:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/isapiCgiRestriction" -name "notListedIsapisAllowed" -value "False" + + Impact: + + Unauthorized ISAPI binaries will not be allowed. + + + + + + + + + + + + + (L1) Ensure 'notListedCgisAllowed' is set to false + + +The notListedCgisAllowed + attribute is a server-level setting that is located in the ApplicationHost.config + file in the <isapiCgiRestriction> + element of the <system.webServer> + section under <security> +. This element ensures that malicious users cannot copy unauthorized CGI binaries to the Web server and then run them. + +It is recommended that notListedCgisAllowed + be set to false +. + + + + + + + + + + +Restricting this attribute to false + will help prevent unlisted CGI extensions, including potentially malicious CGI scripts from being run. + + + http://technet.microsoft.com/en-us/library/dd391919%28WS.10%29.aspx + + + + +To set the notListedCgisAllowed + attribute to false using IIS Manager: + + Open IIS Manager as Administrator + In the Connections pane on the left, select the server to configure + In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature + In the Actions pane, select Edit Feature Settings + In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified CGI modules check box + Click OK + + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedCgisAllowed:false + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/isapiCgiRestriction" -name "notListedCgisAllowed" -value "False" + + Impact: + + Unlisted CGI extensions will not be allowed. + + + + + + + + + + + + + (L1) Ensure 'Dynamic IP Address Restrictions' is enabled + + Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified number of requests or request frequency. + + Note: + Ensure that you receive the Forbidden page once the block has been enforced. + + + + + + + Network + Protect + + + + + + Devices + Protect + + + + + + IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client. + + + + http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions + + + + + + Open IIS Manager. + + + Open the IP Address and Domain Restrictions feature. + + + Click Edit Dynamic Restrictions Settings.. + + + Check the Deny IP Address based on the number of concurrent requests and the Deny IP Address based on the number of requests over a period of time boxes. The values can be tweaked as needed for your specific environment. + + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" -name "enabled" -value "True" + + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" -name "maxConcurrentRequests" -value <number of requests> + + Impact: + + Clients will receive a forbidden response when the specified number of requests or request frequency is exceeded. + + + + + + + + IIS Logging Recommendations + + This section contains recommendations regarding IIS logging that have not been covered in the Basic Configurations section. + + + (L1) Ensure Default IIS web log location is moved + + IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response and can be the most valuable. Malicious users are aware of this and will often try to remove evidence of their activities. + It is recommended that the default location for IIS log files be changed to a restricted, non-system drive. + + + + + + + Network + Protect + + + + + + Network + Detect + + + + + + Moving IIS logging to a restricted, non-system drive will help mitigate the risk of logs being maliciously altered, removed, or lost in the event of system drive failure(s). + + + + https://technet.microsoft.com/en-us/library/cc770709(v=ws.10).aspx? + + + + +Moving the default log location can be easily accomplished using the Logging feature in the IIS Management UI, AppCmd.exe +, or PowerShell. + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd set config -section:sites -siteDefaults.logfile.directory:<new log location> + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.applicationHost/sites/siteDefaults/logFile" -name "directory" -value <new log location> + + Moving log file stores to a non-system drive or partition separate from where web applications run and/or content is served is preferred. Additionally, folder-level NTFS permissions should be set as restrictive as possible; Administrators and SYSTEM are typically the only principals requiring access. + While standard IIS logs can be moved and edited using IIS Manager, additional management tool add-ons are required in order to manage logs generated by other IIS features, such as Request Filtering and IIS Advanced Logging. These add-ons can be obtained using the Web Platform Installer or from Microsoft's site. The HTTPErr logging location can be changed by adding a registry key. + Impact: + + If an administrator needs access to the log file, that does not have drive permission, they will be unable to view that file. + + + + + + + (L1) Ensure Advanced IIS logging is enabled + + IIS Advanced Logging is a module which provides flexibility in logging requests and client data. It provides controls that allow businesses to specify what fields are important, easily add additional fields, and provide policies pertaining to log file rollover and Request Filtering. HTTP request/response headers, server variables, and client-side fields can be easily logged with minor configuration in the IIS management console. + + + + + + + Network + Detect + + + + + + Network + Detect + + + + Network + Detect + + + + + + Many of the fields available in Advanced Logging can provide extensive, real-time data and details not otherwise obtainable. Developers and security professionals can use this information to identify and remediate application vulnerabilities/attack patterns. + + + + + https://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85 + + + + IIS Advanced Logging can be configured for servers, Web sites, and directories in IIS Manager. To enable Advanced Logging using the UI: + + Open Internet Information Services (IIS) Manager + Click the server in the Connections pane + Double-click the Logging icon on the Home page + Click Select Fields + + The fields that will be logged need to be configured using the Add or Edit Fields button. + Note: There may be performance considerations depending on the extent of the configuration. + Impact: + + Collecting detailed log files will take more space on the specified drive. + + + + + + + (L1) Ensure 'ETW Logging' is enabled + + Event Tracing for Windows (ETW) is a Windows feature that allows Administrators to send logging information to another location. This information is then compiled on the server and can be queried. + + + + + + + Network + Detect + + + + + + Network + Detect + + + + Network + Detect + + + + + + IIS flushes log information to disk, therefore prior to IIS, administrators do not have access to real-time logging information. Text-based log files can also be difficult and time consuming to process. By enabling ETW, administrators have access to use standard query tools for viewing real-time logging information. + + + + + http://www.iis.net/learn/get-started/whats-new-in-iis-85/logging-to-etw-in-iis-85 + http://blogs.technet.com/b/erezs_iis_blog/archive/2013/07/15/hook-me-up.aspx + https://blogs.msdn.microsoft.com/dcook/2015/09/30/etw-overview/ + https://social.msdn.microsoft.com/Forums/en-US/a1aa1350-41a0-4490-9ae3-9b4520aeb9d4/faq-common-questions-for-etw-and-windows-event-log?forum=etw + + + + To configure ETW logging: + + Open IIS Manager + Select the server or site to enable ETW + Select Logging. + Ensure Log file format is W3C. + Select Both log file and ETW event + Save your settings. + + Impact: + + A dedicated server hosting Event Tracing for Windows (ETW) will be needed. + + + + + + + + FTP Requests + + This section contains a crucial configuration setting for running file transfer protocol (FTP). + + + (L1) Ensure FTP requests are encrypted + + FTP Publishing Service for IIS supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic as well as credentials are thereby guarded against interception. + + + + http://www.windowsnetworking.com/articles_tutorials/IIS-FTP-Publishing-Service-Part3.html + http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/#03 + https://tools.ietf.org/html/rfc4217 + + + + To configure FTP over SSL at the server level using AppCmd.exe or PowerShell: + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /siteDefaults.ftpServer.security.ssl.controlChannelPolicy:"SslRequire" /siteDefaults.ftpServer.security.ssl.dataChannelPolicy:"SslRequire" /commit:apphost + + OR + Enter the following commands in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.applicationHost/sites/siteDefaults/ftpServer/security/ssl" -name "controlChannelPolicy" -value "SslRequire" + + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.applicationHost/sites/siteDefaults/ftpServer/security/ssl" -name "dataChannelPolicy" -value "SslRequire" + + Impact: + + SSL will be needed for the FTP transmission. + + + + + + + (L1) Ensure FTP Logon attempt restrictions is enabled + + FTP Logon attempt restrictions is a built-in network security feature to automatically block brute force FTP attacks. This can be used to mitigate a malicious client from attempting a brute-force attack on a discovered account, such as the local administrator account. + + + + + + + Devices + Protect + + + + + + Devices + Identify + + + + + + Successful brute force FTP attacks can allow an otherwise unauthorized user to make changes to data that should not be made. This could allow the unauthorized user to modify website code by uploading malicious software or even changing functionality for items such as online payments. + + + + http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-ftp-logon-attempt-restrictions + + + + To configure FTP Logon Attempt Restrictions at the server level using AppCmd.exe or PowerShell: + Enter the following command in AppCmd.exe to configure: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.ftpServer/security/authentication /denyByFailure.enabled:"True" /commit:apphost + + OR + Enter the following command in PowerShell to configure: + Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.ftpServer/security/authentication/denyByFailure" -name "enabled" -value "True" + + Impact: + + N/A + + + + + + + + Transport Encryption + + This section contains recommendations for configuring IIS protocols and cipher suites. + For security protocols (SSL, TLS), there are 2 registry paths that control a protocol state in the O/S: TLS client and TLS server. A web server normally acts as the TLS server in that it is serving web content to clients. There are some instances where a web server is configured as a 'client'. An example of a server acting as a client can be seen when there is dynamic content generation. The webserver queries a remote database server to return content specific to a user's request. In this configuration, the web server is acting as a TLS client. In cases such as these, the configured TLS server protocol and cipher suite preferences take precedence over the client's. This behavior is why for the IIS benchmark we require specific protocol settings for a TLS server and only recommend settings for TLS clients. + If SSLv3 registry keys are not set, the O/S defaults take precedence. + +For example, to disable SSLv3 protocol on the TLS server, you need to set the following registry key to 0: + HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled + + +To prevent a client from issuing the Hello command over that legacy protocol the following registry must be set to 0: + HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client\Enabled + + The fact that the key is named Enabled can be confusing. The setting of the value to either 0 or 1 actually sets the state of the protocol. 0 being disabled and 1 being enabled. + +Here are some specifics into how "Enabled" and "DisabledByDefault" registry settings work. The following article, How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll +, provides additional information related to controlling these protocols and ciphers. + Using the "Enabled = 0" registry setting disables the protocol in a way that can't be overridden by application settings. This is the only robust way to prevent the protocol from being used and no additional settings are required. At the same time, using the "DisabledByDefault" registry setting only prevents that protocol from issuing the Hello command over that protocol when an SSL connection with a server is initiated. This O/S level setting can be overridden by an application which has application specific TLS coding. An example of this can be shown by setting the protocol within a line of code in your .Net 4.5 application: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12. This can override the O/S setting if the DisabledByDefault key is present. "DisabledByDefault" is useful in the case when you want to have some control over the system settings but also allow an application to explicitly specify the protocols they would like to use. + Enabled only works strongly in the negative case ("Enabled = 0"). If "Enabled=1" or is not set, then "DisabledByDefault" will override in the case where the application takes the system defaults. "Enabled=1" is also overridden by application specific protocol flags. + + + (L2) Ensure HSTS Header is set + + HTTP Strict Transport Security (HSTS) allows a site to inform the user agent to communicate with the site only over HTTPS. This header takes two parameters: max-age, "specifies the number of seconds, after the reception of the STS header field, during which the user agent regards the host (from whom the message was received) as a Known HSTS Host [speaks only HTTPS]"; and includeSubDomains. includeSubDomains is an optional directive that defines how this policy is applied to subdomains. If includeSubDomains is included in the header, it provides the following definition: this HSTS Policy also applies to any hosts whose domain names are subdomains of the Known HSTS Host's domain name. + + + + + + + Data + Protect + + + + + + + + + HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. HSTS relies on the User Agent/Browser to enforce the required behavior. All major browsers support it. If the browser doesn't support HSTS, it will be ignored. + When a browser knows that a domain has enabled HSTS, it does two things: + + + Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. + + + Removes the ability for users to click through warnings about invalid certificates. + + + A domain instructs browsers that it has enabled HSTS by returning an HTTP header over an HTTPS connection. + + + + http://tools.ietf.org/html/rfc6797#section-5.1 + https://https.cio.gov/hsts/ + https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders#006 + + + + Any value greater than 0 meets this recommendation. The examples below are specific to 8 minutes but can be adjusted to meet your requirements. + +To set the HTTP Header at the server level using an AppCmd.exe + command, run the following command from an elevated command prompt: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /+"customHeaders.[name='Strict-Transport-Security',value='max-age=480; preload']" + + +To set the HTTP Header and include subdomains at the server level using an AppCmd.exe + command, run the following command from an elevated command prompt: + %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /+"customHeaders.[name='Strict-Transport-Security',value='max-age=480; includeSubDomains; preload']" + + +To set the HTTP Header at the Website level using an AppCmd.exe + command, run the following command from an elevated command prompt: + %systemroot%\system32\inetsrv\appcmd.exe set config "<em>Website"</em> -section:system.webServer/httpProtocol /+"customHeaders.[name='Strict-Transport-Security',value='max-age=480; preload']" + + +To set the HTTP Header and include subdomains at the Website level using an AppCmd.exe + command, run the following command from an elevated command prompt: + %systemroot%\system32\inetsrv\appcmd.exe set config "<em>Website"</em> -section:system.webServer/httpProtocol /+"customHeaders.[name='Strict-Transport-Security',value='max-age=480; includeSubDomains; preload']" + + Impact: + + The user agent will only be able to communicate with the site over HTTPS. + + + + + + + (L1) Ensure SSLv2 is Disabled + + The SSLv2 protocol is not considered cryptographically secure, therefore should be disabled. + + + + + + + Network + Protect + + + + + + Data + Protect + + + + + + Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data. + + + + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://technet.microsoft.com/en-us/library/dn786433.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + + + + Perform the following to disable SSL 2.0: + + +Set the following Registry key to 0 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:Enabled + + + +Set the following Registry key to 1 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:DisabledByDefault
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:DisabledByDefault + + To disable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
+
+New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The SSLv2 protocol will not be available for use. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure SSLv3 is Disabled + + The SSLv3 protocol is not considered cryptographically secure, therefore should be disabled. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data. + + + + https://www.openssl.org/~bodo/ssl-poodle.pdf + http://technet.microsoft.com/en-us/library/dn786419.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786433.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + + + + Perform the following to disable SSL 3.0: + + +Set the following Registry key to 0 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client:Enabled + + + +Set the following Registry key to 1 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server:DisabledByDefault
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client:DisabledByDefault + + To disable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
+
+New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The SSLv3 protocol will not be available. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure TLS 1.0 is Disabled + + The TLS 1.0 protocol is not considered cryptographically secure, therefore should be disabled. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data. + + + + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://technet.microsoft.com/en-us/library/dn786433.aspx + + + + Perform the following to disable TLS 1.0: + + +Set the following Registry key to 0 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client:Enabled + + + +Set the following Registry key to 1 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server:DisabledByDefault
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client:DisabledByDefault + + To disable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
+
+New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The TLS 1.0 protocol will not be available. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure TLS 1.1 is Disabled + + The TLS 1.1 protocol is not considered cryptographically secure, therefore should be disabled. + + + + + + + Network + Protect + + + + + + Data + Protect + + + + + + Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data. + + + + http://technet.microsoft.com/en-us/library/dn786433.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://community.qualys.com/thread/16565-is-there-a-reason-for-still-having-tlsv11-enabled + + + + Perform the following to disable TLS 1.1: + + +Set the following Registry key to 0 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client:Enabled + + + +Set the following Registry key to 1 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server:DisabledByDefault
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client:DisabledByDefault + + To disable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
+
+New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + TLS 1.1 may be needed for backward compatibility. + + Warning: + Fully test the application to ensure that backwards compatibility is not needed. If it is, build in exceptions as necessary for backwards compatibility. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure TLS 1.2 is Enabled + + TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Enabling this protocol will help ensure the confidentiality and integrity of data in transit. + + + + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://technet.microsoft.com/en-us/library/dn786433.aspx + + + + Perform the following to enable TLS 1.2: + + +Set the following Registry key to 1 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server:Enabled + + + +Set the following Registry key to 0 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server:DisabledByDefault + + To enable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + N/A + + + + + + + + + + + + + + + + + + + (L1) Ensure NULL Cipher Suites is Disabled + + The NULL cipher does not provide data confidentiality or integrity, therefore it is recommended that the NULL cipher be disabled. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + By disabling the NULL cipher, there is a better chance of maintaining data confidentiality and integrity. + + + + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://technet.microsoft.com/en-us/library/dn786433.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + + + + +Perform the following to disable NULL + cipher: + + +Set the following Registry key to 0 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL:Enabled + + To disable using PowerShell enter the following command: + +New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The NULL cipher suite will not be available. + + + + + + + + + + + + + + (L1) Ensure DES Cipher Suites is Disabled + + The DES Cipher Suite is considered a weak symmetric-key cipher, therefore it is recommended that it be disabled. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + By disabling DES, there is a better chance of maintaining data confidentiality and integrity. + + + + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786433.aspx + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + + + + +Perform the following to disable DES 56/56 + cipher: + + +Set the following Registry key to 0 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56:Enabled + + To disable using PowerShell enter the following command: + +(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('DES 56/56')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The DES Cipher Suite will not be avaiable. + + + + + + + + + + + + + + (L1) Ensure RC4 Cipher Suites is Disabled + + The RC4 Cipher Suites are considered insecure, therefore should be disabled. + + Note: + RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS. + + + + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + http://technet.microsoft.com/en-us/library/dn786433.aspx + http://technet.microsoft.com/en-us/library/dn786419.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + + + + +Perform the following to disable RC4 40/128 +, RC4 56/128 +, RC4 64/128 +, RC4 128/128 + ciphers: + + +Set the following Registry keys to 0 +. + + +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128:Enabled
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128:Enabled + + To disable using PowerShell enter the following commands: + +(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 40/128')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 56/128')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 64/128')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
+
+(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 128/128')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + The RC4 Cipher Suites will not be available. The use of RC4 in TLS and SSL could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (L1) Ensure AES 128/128 Cipher Suite is Disabled + + The AES 128/128 Cipher Suite is not considered secure and therefore should be disabled, if possible. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + This item is Scored for the following reasons and should be disabled: + + Enabling AES 256/256 is recommended. + This cipher does not suffer from known practical attacks. + + + + + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786433.aspx + + + + +Perform the following to disable AES 128/128 + cipher: + + +Set the following Registry key to 0 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128:Enabled + + To disable using PowerShell enter the following command: + +(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('AES 128/128')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + + Warning: + Enabling AES 128/128 may be required for client compatibility. + + + + + + + + + + + + + + (L1) Ensure AES 256/256 Cipher Suite is Enabled + + AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. + + Note: + AES 256/256 is enabled by default starting with Server 2012 and 2012 R2. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Enabling this cipher will help ensure the confidentiality and integrity of data in transit. + + + + http://technet.microsoft.com/en-us/library/dn786419.aspx + http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx + https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 + http://technet.microsoft.com/en-us/library/dn786433.aspx + + + + +Perform the following to enable AES 256/256 + cipher: + + +Set the following Registry key to 1 +. + + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256:Enabled + + To enable using PowerShell enter the following command: + +(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('AES 256/256')
+
+New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null + + Impact: + + N/A + + + + + + + + + + + + + + (L2) Ensure TLS Cipher Suite ordering is Configured + + Cipher suites are a named combination of authentication, encryption, message authentication code, and key exchange algorithms used for the security settings of a network connection using TLS protocol. Clients send a cipher list and a list of ciphers that it supports in order of preference to a server. The server then replies with the cipher suite that it selects from the client cipher suite list. + + + + + + + Data + Protect + + + + + + Data + Protect + + + + + + Cipher suites should be ordered from strongest to weakest in order to ensure that the more secure configuration is used for encryption between the server and client. + + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + + + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + + + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + + + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + Avoid cipher suits that do not provide Perfect Forward Secrecy or use weak hashing function, use them only if you need to support backwards compatibility and in the bottom of the list and you will have to create exceptions for the items that cause this to become out of compliance: + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (uses SHA-1) + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (uses SHA-1) + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (uses SHA-1) + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (uses SHA-1) + TLS_RSA_WITH_AES_256_GCM_SHA384 (lack of Perfect Forward Secrecy) + TLS_RSA_WITH_AES_128_GCM_SHA256 (lack of Perfect Forward Secrecy) + TLS_RSA_WITH_AES_256_CBC_SHA256 (lack of Perfect Forward Secrecy) + TLS_RSA_WITH_AES_128_CBC_SHA256 (lack of Perfect Forward Secrecy) + TLS_RSA_WITH_AES_256_CBC_SHA (uses SHA-1, lack of Perfect Forward Secrecy) + TLS_RSA_WITH_AES_128_CBC_SHA (uses SHA-1, lack of Perfect Forward Secrecy) + + Note: + HTTP/2 compatibility: first 4 ciphers (in bold) in the top part list are compatible with HTTP/2 + + + + + + + Perform the following to configure TLS cipher suite order: + + +Set the following Registry key to TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +. + + HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002:Functions + + To configure TLS cipher suite order using PowerShell enter the following command: + +New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Force | Out-Null
+
+New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value 'TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' -PropertyType 'MultiString' -Force | Out-Null + + Impact: + + Cipher ordering is important to ensure that the most secure ciphers are listed first and will be applied over weaker ciphers when possible. + + + + + + + + + + + + + + + + + + + + + + + +1dgQoBBPyJNtO8er2cY9rcIvtPo= + + + +ajiQa7zgKiX3poxqNSgP90uXuvf0EdaDw0ahYZiDunKJtVP1CloINpRKsMkU3pvfJkbOKAlHpaVV +W6r67Vc5dLymm5TxpZexXlB+Dbgvemf8AHYdMQoI6JxvIkZvM/vKVjTjryqO2KQgJBBLheijQExj +ruwDNrzknPt9TWAqFF+BCltyA1+H94eMWyg3PHweVmRzScGAmEeifPqv0wEbIjbLFCS80TXR7iNG +hXtM0LelkyxOxVubzKto7EkYpqUrzyB1tuP8Ewv0irBMFIEipCjwe8y49lAlPkPqLAXn72/N7NDI +/Oyhye9E0VHhpe/PEaBHQtph+N3qM2K0iTJbtg== + + + + +MIIFUjCCBDqgAwIBAgIIPx+qZKptEY4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNVBAYTAlVTMRAw +DgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNv +bSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMw +MQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAw +OTA4MTMzOTM5WhcNMjMxMDI4MDAzMjA1WjCBkzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZ +b3JrMRcwFQYDVQQHEw5FYXN0IEdyZWVuYnVzaDErMCkGA1UEChMiQ2VudGVyIGZvciBJbnRlcm5l +dCBTZWN1cml0eSwgSW5jLjErMCkGA1UEAxMiQ2VudGVyIGZvciBJbnRlcm5ldCBTZWN1cml0eSwg +SW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDBp4+sl9kB5JRmnQH0wcbLLz/t +n2HoD6TRl3xJj12V61njBNgaiGzvoSl07sFLnESukb0CU44MzYDoUMdx3HJUcEAeMY/9eITqGUnk +N4WsP145eFqH7FoszOY/4NYlgYMYt8ZP2kRHyim9LpQTLT/1mBaUkY2f2e5uUCootH3iT8W3/sK2 +flLzWfLgXTvkhJm4Uvw1RErBFs15+krW0KWtnZ6NmiDhmV0CnFGNnd1meGZPs2sBXEVGLJVSKzoT +G9Ht/oWyRLRcJuXpHoXTYpkqM2MsixmSaJy5b6/D35r0NXHru3p1gkX2a0VgJQxxWqLi3bVPzpl3 +PlJu3C8M/FUCAwEAAaOCAYUwggGBMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMw +DgYDVR0PAQH/BAQDAgeAMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v +Z2RpZzJzNS02LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcCMDkwNwYIKwYBBQUHAgEWK2h0 +dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQQBMHYGCCsG +AQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF +BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0 +MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMB0GA1UdDgQWBBT7fOf4ISDprbE+qUFe ++friFTKgHjANBgkqhkiG9w0BAQsFAAOCAQEAT0XLw2vmuq6e58bkLDXdqKeGQjREDChLw2Mae9LI +JB93QgdA2OCLA1FwU2s7lawEDcma9wPiugxVGoaQNOfRw2/+cz0xmR3uaKQq6I24dWbHF20N2tSz +1RAAK1lRZKewA1fj+qqKWjzETA0LpqZlaFF+CKBpQcyfYyQRZxpHkB1vvKMf4kMIRKruvl4ixLjN +uAZrbQUWlXuq/MUkVP3FgdxWBPfmMGyngHs4hNMaSQGb1TEhBjj+PGoSunAyaOgO/P94XJPQQX3O +2oNDsPou6gKcNtbZrH+iYTJ8rcqQTontMwSP/HrYj8lgG3neG53vk05p0jCn2M5W0ukJ4LPEnA== + + + + +0MGnj6yX2QHklGadAfTBxssvP+2fYegPpNGXfEmPXZXrWeME2BqIbO+hKXTuwUucRK6RvQJTjgzN +gOhQx3HcclRwQB4xj/14hOoZSeQ3haw/Xjl4WofsWizM5j/g1iWBgxi3xk/aREfKKb0ulBMtP/WY +FpSRjZ/Z7m5QKii0feJPxbf+wrZ+UvNZ8uBdO+SEmbhS/DVESsEWzXn6StbQpa2dno2aIOGZXQKc +UY2d3WZ4Zk+zawFcRUYslVIrOhMb0e3+hbJEtFwm5ekehdNimSozYyyLGZJonLlvr8PfmvQ1ceu7 +enWCRfZrRWAlDHFaouLdtU/OmXc+Um7cLwz8VQ== +AQAB + + + + \ No newline at end of file diff --git a/test/tests/diff.spec.ts b/test/tests/diff.spec.ts index cd68582..dc78e27 100644 --- a/test/tests/diff.spec.ts +++ b/test/tests/diff.spec.ts @@ -5,6 +5,7 @@ import {createWinstonLogger} from '../../src/utilities/logging' import {processInSpecProfile} from '../../src/parsers/json' const thisLogger = createWinstonLogger('ts-inspec-objects') + const V1R2 = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/U_RHEL_8_STIG_V1R2_Manual-xccdf.xml', 'utf-8'), false, 'group'); const V1R3 = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/U_RHEL_8_STIG_V1R3_Manual-xccdf.xml', 'utf-8'), false, 'group'); @@ -13,35 +14,33 @@ const V2R7 = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/U_R const V3R7 = processInSpecProfile(fs.readFileSync('test/sample_data/inspec/json/rhel-7-v3r7-mini-sample-profile.json', 'utf-8')); const V3R6 = processInSpecProfile(fs.readFileSync('test/sample_data/inspec/json/rhel-7-v3r6-mini-profile.json', 'utf-8')); -const V3R8 = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/rhel-7-v3r8-mini-sample-xxcdf.xml', 'utf-8'), false, 'rule'); +const V3R8_rule = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/rhel-7-v3r8-mini-sample-xxcdf.xml', 'utf-8'), false, 'rule'); +const V3R8_group = processXCCDF(fs.readFileSync('test/sample_data/xccdf/input/STIG/rhel-7-v3r8-mini-sample-xxcdf.xml', 'utf-8'), false, 'group'); describe('The diff utils', () => { it('Successfully finds the difference between RHEL 8 V1R2 XCCDF and V1R3 XCCDF', () => { const expected = JSON.parse(fs.readFileSync('test/sample_data/diffs/RHEL8_V1R2_V1R3.json', 'utf-8')) - expect(diffProfile(V1R2, V1R3, thisLogger)).toEqual(expected) }) it('Successfully finds the difference between a RHEL 7 V2R6 InSpec Profile and V2R7 XCCDF', () => { const expected = JSON.parse(fs.readFileSync('test/sample_data/diffs/RHEL7_V2R6_V2R7.json', 'utf-8')) - expect(diffProfile(V2R6, V2R7, thisLogger)).toEqual(expected) }) }) -describe('The diff utils', () => { - - const profileDiff_7 = diffProfile(V3R7, V3R8, thisLogger); - const profileDiff_6 = diffProfile(V3R6, V3R8, thisLogger); - +describe('The diff utils for controls with rule as Id', () => { + const profileDiff_6 = diffProfile(V3R6, V3R8_rule, thisLogger); + const profileDiff_7 = diffProfile(V3R7, V3R8_rule, thisLogger); + it('should correctly identify added controls', () => { expect(profileDiff_7.rawDiff.addedControlIDs).toEqual(['SV-204394']); }) it('should correctly identify removed controls', () => { - expect(profileDiff_7.rawDiff.removedControlIDs).toEqual([]); + expect(profileDiff_7.rawDiff.removedControlIDs).toEqual(['SV-204474']); }) it('should correctly identify renamed controls', () => { - expect(profileDiff_7.rawDiff.renamedControlIDs).toEqual({'SV-204474': 'SV-204392', 'V-73165': 'SV-204565'}); + expect(profileDiff_7.rawDiff.renamedControlIDs).toEqual({'V-73165': 'SV-204565'}); }) it('should correctly identify changes in existing controls', () => { // we know that the description in the sample's SV-251703 changed @@ -59,7 +58,38 @@ describe('The diff utils', () => { expect(_.get(profileDiff_6, 'ignoreFormattingDiff.changedControls.["SV-204392"].descs.check')).toBeFalsy(); expect(_.get(profileDiff_6, 'rawDiff.changedControls.["SV-204392"].descs.check')).toBeTruthy(); }) + // Test nested rules in one group +}) + +describe('The diff utils for controls with group as Id', () => { + const profileDiff_8 = diffProfile(V3R7, V3R8_group, thisLogger); + const profileDiff_6 = diffProfile(V3R6, V3R8_group, thisLogger); + it('should correctly identify added controls', () => { + expect(profileDiff_8.rawDiff.addedControlIDs).toEqual(['V-204392', 'V-204394', 'V-251703']); + }) + it('should correctly identify removed controls', () => { + expect(profileDiff_8.rawDiff.removedControlIDs).toEqual(['SV-204392', 'SV-204474', 'SV-251703']); + }) + it('should correctly identify renamed controls', () => { + expect(profileDiff_8.rawDiff.renamedControlIDs).toEqual({'V-73165': 'V-204565'}); + }) + it('should correctly identify changes in existing controls', () => { + // we know that the description in the sample's SV-251703 changed + expect(_.get(profileDiff_8, 'rawDiff.changedControls.["V-204565"].descs.check')).toBeTruthy(); + }) + it('should ignore whitespace for ignoreFormattedDiff, but consider whitespace changes for rawDiff', () => { + // this particular control ONLY had a few newlines change in its description + // ignoreFormattingDiff should ignore this, but rawDiff should not + expect(_.get(profileDiff_8, 'ignoreFormattingDiff.changedControls.["V-204392"].descs.check')).toBeFalsy(); + expect(_.get(profileDiff_8, 'rawDiff.changedControls.["V-204565"].descs.check')).toBeTruthy(); + }) + it('should correctly identify no changes in control with ruby string formatting (%q)', () => { + // this particular control ONLY had a few newlines change in its description + // ignoreFormattingDiff should ignore this, but rawDiff should not + expect(_.get(profileDiff_6, 'ignoreFormattingDiff.changedControls.["SV-204392"].descs.check')).toBeFalsy(); + expect(_.get(profileDiff_6, 'rawDiff.changedControls.["V-204565"].descs.check')).toBeFalsy; + }) // Test nested rules in one group -}) +}) \ No newline at end of file diff --git a/test/tests/xccdf.spec.ts b/test/tests/xccdf.spec.ts index 30d0401..5360233 100644 --- a/test/tests/xccdf.spec.ts +++ b/test/tests/xccdf.spec.ts @@ -1,26 +1,71 @@ import fs from 'fs' import {processXCCDF} from '../../src/index' +// Expected XCCDF parsing to pass describe('The XCCDF Parser', () => { + const ruleIdTypes: string[] = ['group', 'rule', 'version'] + for (const file of fs.readdirSync('./test/sample_data/xccdf/input/STIG')) { - it(`Successfully parses STIG ${file}`, () => { - const xccdfProfile = processXCCDF(fs.readFileSync(`./test/sample_data/xccdf/input/STIG/${file}`, 'utf-8'), false, 'group'); - fs.writeFileSync(`./test/sample_data/profile-objects/STIG/${file}.json`, JSON.stringify(xccdfProfile, null, 2)); - }) + for (const ruleId of ruleIdTypes) { + it(`Successfully parses STIG ${file} using rule Id "${ruleId}"`, () => { + const xccdfProfile = processXCCDF(fs.readFileSync(`./test/sample_data/xccdf/input/STIG/${file}`, 'utf-8'), false, ruleId as 'group' | 'rule' | 'version'); + fs.writeFileSync(`./test/sample_data/profile-objects/STIG/${file}.json`, JSON.stringify(xccdfProfile, null, 2)); + }) + } } + ruleIdTypes.pop() // remove the version rule type + ruleIdTypes.push('cis') // add the cis rule type for (const file of fs.readdirSync('./test/sample_data/xccdf/input/CIS')) { - it(`Successfully parses CIS Benchmark ${file}`, () => { - const xccdfProfile = processXCCDF(fs.readFileSync(`./test/sample_data/xccdf/input/CIS/${file}`, 'utf-8'), false, 'group'); - fs.writeFileSync(`./test/sample_data/profile-objects/CIS/${file}.json`, JSON.stringify(xccdfProfile, null, 2)); - }) + for (const ruleId of ruleIdTypes) { + if (!(file.includes('ssg-ubuntu') && ruleId.includes('cis')) || + (file.includes('ssg-ubuntu') && !ruleId.includes('cis')) || + !file.includes('ssg-ubuntu')) { + it(`Successfully parses CIS Benchmark ${file} using rule Id "${ruleId}"`, () => { + const xccdfProfile = processXCCDF(fs.readFileSync(`./test/sample_data/xccdf/input/CIS/${file}`, 'utf-8'), false, ruleId as 'group' | 'rule' | 'version' | 'cis'); + fs.writeFileSync(`./test/sample_data/profile-objects/CIS/${file}.json`, JSON.stringify(xccdfProfile, null, 2)); + }) + } + } } }) +// Expected XCCDF parsing to fail due to invalid rule id +describe('The XCCDF Parser', () => { + + it('Fails to parse CIS Benchmark ssg-ubuntu1604-xccdf using rule Id "cis" due to improper rule id format', () => { + expect(() => { + const xccdfProfile = processXCCDF(fs.readFileSync('./test/sample_data/xccdf/input/CIS/ssg-ubuntu1604-xccdf.xml', 'utf-8'), false, 'cis'); + fs.writeFileSync('./test/sample_data/profile-objects/CIS/ssg-ubuntu1604-xccdf.json', JSON.stringify(xccdfProfile, null, 2)); + }).toThrow( + 'Could not parse control ID from rule ID: harden_ssh_client_crypto_policy. Expecting something in this example format: xccdf_org.cisecurity.benchmarks_rule_1.1.11_Rule_title_summary' + ); + }) + + it('Fails to parse CIS Benchmark ssg-ubuntu1804-xccdf using rule Id "cis" due to improper rule id format', () => { + expect(() => { + const xccdfProfile = processXCCDF(fs.readFileSync('./test/sample_data/xccdf/input/CIS/ssg-ubuntu1804-xccdf.xml', 'utf-8'), false, 'cis'); + fs.writeFileSync('./test/sample_data/profile-objects/CIS/ssg-ubuntu1804-xccdf.json', JSON.stringify(xccdfProfile, null, 2)); + }).toThrow( + 'Could not parse control ID from rule ID: harden_ssh_client_crypto_policy. Expecting something in this example format: xccdf_org.cisecurity.benchmarks_rule_1.1.11_Rule_title_summary' + ); + }) + + it('Fails to parse CIS Benchmark ssg-ubuntu2004-xccdf using rule Id "cis" due to improper rule id format', () => { + expect(() => { + const xccdfProfile = processXCCDF(fs.readFileSync('./test/sample_data/xccdf/input/CIS/ssg-ubuntu2004-xccdf.xml', 'utf-8'), false, 'cis'); + fs.writeFileSync('./test/sample_data/profile-objects/CIS/ssg-ubuntu2004-xccdf.json', JSON.stringify(xccdfProfile, null, 2)); + }).toThrow( + 'Could not parse control ID from rule ID: disable_prelink. Expecting something in this example format: xccdf_org.cisecurity.benchmarks_rule_1.1.11_Rule_title_summary' + ); + }) +}) + +// Expected XCCDF parsing to fail due to formatting describe('The XCCDF Parser', () => { it('throws an error if provided an improper format (not an XCCDF file) as input', () => { expect(() => { processXCCDF(fs.readFileSync('./test/sample_data/inspec/json/rhel-7-v3r6-mini-profile.json', 'utf-8'), false, 'group') }).toThrow('Could not process the XCCDF file, check the input to make sure this is a properly formatted XCCDF file.'); }) -}) \ No newline at end of file +})